Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ECE0E18F28 for ; Wed, 6 May 2015 13:12:00 +0000 (UTC) Received: (qmail 9909 invoked by uid 500); 6 May 2015 13:12:00 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 9853 invoked by uid 500); 6 May 2015 13:12:00 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 9841 invoked by uid 99); 6 May 2015 13:12:00 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 May 2015 13:12:00 +0000 Date: Wed, 6 May 2015 13:12:00 +0000 (UTC) From: "Rakesh R (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HDFS-8112) Enforce authorization policy to protect administration operations for EC zone and schemas MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-8112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14530515#comment-14530515 ] Rakesh R commented on HDFS-8112: -------------------------------- Thank you [~zhangyongxyz] for the comments and bringing up the use case. IIUC you are saying ErasureCoding APIs can check user permission against the ACLs of the FSDirectory. Also, we can define the File system actions(r, w, etc) as per EC operations. When raising this jira [~drankye]'s idea is to enforce protection policy at the protocol layer [Hadoop Service Level Authorization|https://hadoop.apache.org/docs/r2.7.0/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html] which ensures only privileged users/admins to be able to perform the operations. Initially we thought all DFS commands for EC should be in client protocol for this discussion. But on a second thought, there may come new APIs in other protocol as well. So we have decided to take up this jira later(could leave for other issues or discussions) and is the reason I didn't give much focus on this jira. I could see today you have raised HDFS-8333 to discuss the Create EC zone API user privileges. Probably we could listen the thoughts from others and take up this task accordingly. > Enforce authorization policy to protect administration operations for EC zone and schemas > ----------------------------------------------------------------------------------------- > > Key: HDFS-8112 > URL: https://issues.apache.org/jira/browse/HDFS-8112 > Project: Hadoop HDFS > Issue Type: Sub-task > Reporter: Kai Zheng > Assignee: Rakesh R > > We should allow to enforce authorization policy to protect administration operations for EC zone and schemas as such behaviors would impact too much for a system. -- This message was sent by Atlassian JIRA (v6.3.4#6332)