hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jitendra Nath Pandey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions
Date Mon, 23 Mar 2015 19:18:53 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14376429#comment-14376429

Jitendra Nath Pandey commented on HDFS-6826:

Thanks for the quick turn around, [~asuresh].
The latest patch looks pretty good and works for us.
I want to point out that the API 
{{public AccessControlEnforcer getExternalAccessControlEnforcer(AccessControlEnforcer defaultEnforcer)}}
assumes a one to one mapping between external enforcer and the default enforcer. The {{FSPermissionChecker}}
is the default enforcer in this case which is instantiated for every request, therefore there
is an implicit assumption that the callerUgi in the {{checkPermission}} API is same as the
callerUgi used to create the {{FSPermissionChecker}} that was passed as the default enforcer.
Therefore, I would prefer passing the default enforcer to the {{AccessControlEnforcer#checkPermission}}
API as I mentioned in my previous comment, and not pass it to the {{getExternalAccessControlEnforcer}}.

However, I will still be OK if you prefer to stick to the model of one to one mapping between
default enforcer object and external enforcer object, where both are tied to the specific
file system request.
Please update with your call on the above. 

+1 pending the decision on the above.

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, HDFS-6826-permchecker.patch,
HDFS-6826.10.patch, HDFS-6826.11.patch, HDFS-6826.12.patch, HDFS-6826.13.patch, HDFS-6826.14.patch,
HDFS-6826.15.patch, HDFS-6826.16.patch, HDFS-6826v3.patch, HDFS-6826v4.patch, HDFS-6826v5.patch,
HDFS-6826v6.patch, HDFS-6826v7.1.patch, HDFS-6826v7.2.patch, HDFS-6826v7.3.patch, HDFS-6826v7.4.patch,
HDFS-6826v7.5.patch, HDFS-6826v7.6.patch, HDFS-6826v7.patch, HDFS-6826v8.patch, HDFS-6826v9.patch,
HDFSPluggableAuthorizationProposal-v2.pdf, HDFSPluggableAuthorizationProposal.pdf
> When Hbase data, HiveMetaStore data or Search data is accessed via services (Hbase region
servers, HiveServer2, Impala, Solr) the services can enforce permissions on corresponding
entities (databases, tables, views, columns, search collections, documents). It is desirable,
when the data is accessed directly by users accessing the underlying data files (i.e. from
a MapReduce job), that the permission of the data files map to the permissions of the corresponding
data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode to delegate
authorization to an external system that can map HDFS files/directories to data entities and
resolve their permissions based on the data entities permissions.
> I’ll be posting a design proposal in the next few days.

This message was sent by Atlassian JIRA

View raw message