hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rakesh R (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-8112) Enforce authorization policy to protect administration operations for EC zone and schemas
Date Wed, 06 May 2015 13:12:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-8112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14530515#comment-14530515
] 

Rakesh R commented on HDFS-8112:
--------------------------------

Thank you [~zhangyongxyz] for the comments and bringing up the use case.

IIUC you are saying ErasureCoding APIs can check user permission against the ACLs of the FSDirectory.
Also, we can define the File system actions(r, w, etc) as per EC operations. When raising
this jira [~drankye]'s idea is to enforce protection policy at the protocol layer [Hadoop
Service Level Authorization|https://hadoop.apache.org/docs/r2.7.0/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html]
which ensures only privileged users/admins to be able to perform the operations. Initially
we thought all DFS commands for EC should be in client protocol for this discussion. But on
a second thought, there may come new APIs in other protocol as well. So we have decided to
take up this jira later(could leave for other issues or discussions) and is the reason I didn't
give much focus on this jira. I could see today you have raised HDFS-8333 to discuss the Create
EC zone API user privileges. Probably we could listen the thoughts from others and take up
this task accordingly.

> Enforce authorization policy to protect administration operations for EC zone and schemas
> -----------------------------------------------------------------------------------------
>
>                 Key: HDFS-8112
>                 URL: https://issues.apache.org/jira/browse/HDFS-8112
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Kai Zheng
>            Assignee: Rakesh R
>
> We should allow to enforce authorization policy to protect administration operations
for EC zone and schemas as such behaviors would impact too much for a system.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message