hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions
Date Wed, 20 Aug 2014 17:38:28 GMT

     [ https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alejandro Abdelnur updated HDFS-6826:
-------------------------------------

    Attachment: HDFS-6826v6.patch

uploading v6 patch:

* add snapshot lifecycle methods and wires them to the SnapshotManager
* it fixes how permissions are handled to be consistent with the other methods (receiving
snapshotId on get)
* fixes setters of user/group which were not properly wired
* some classes/params/vars renaming for consistency

Trying to answer on how an external plugin would handle snapshot info:

A plugin willing to handle snapshot information would have to have a storage with versioned
authorization information.  

Leveraging the global monotonic characteristics of snapshot IDs. If the provided snapshotId
is CURRENT_STATE_ID, the latest version of authorization information must be returned. If
the provided snaphotId is not CURRENT_STATE_ID, then the latest-no-greater-than snapshotId
version of the authorization information must be provided. 

The setSnapshotableDirs method is call as NN startup to inform the plugin of the current snapshotable
directories and their latest snapshot. This allows a plugin to initialize its storage accordingly
(in case it was just being setup) or resync if necessary.

The create/remove snapshotableDir methods, allow the plugin to setup and cleanup any necessary
information regarding a directory being snapshotable.

The create/remove snapshot methods, allow the plugin to tag/version and cleanup any necessary
information regarding a snapshot being created or removed.


> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, HDFS-6826v3.patch,
HDFS-6826v4.patch, HDFS-6826v5.patch, HDFS-6826v6.patch, HDFSPluggableAuthorizationProposal-v2.pdf,
HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services (Hbase region
servers, HiveServer2, Impala, Solr) the services can enforce permissions on corresponding
entities (databases, tables, views, columns, search collections, documents). It is desirable,
when the data is accessed directly by users accessing the underlying data files (i.e. from
a MapReduce job), that the permission of the data files map to the permissions of the corresponding
data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode to delegate
authorization to an external system that can map HDFS files/directories to data entities and
resolve their permissions based on the data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message