Abhay Kulkarni created RANGER-4817:
--------------------------------------
Summary: Optimize Ranger HDFS Authorization by combining multiple
authorization calls
Key: RANGER-4817
URL: https://issues.apache.org/jira/browse/RANGER-4817
Project: Ranger
Issue Type: Improvement
Components: Ranger
Reporter: Abhay Kulkarni
The focus of optimizations described below is to minimize the number of times
the Ranger policy-engine is called to authorize a NameNode RPC without
modifying the Namenode authorization interface or authorization call sequence.
This optimization is possible as the Namenode calls the authorizer more than
once to authorize some RPCs, as observed during the testing. To ensure that the
authorizer is provided a consistent context to represent a RPC, some
improvements are needed in the Namenode. Related Namenode JIRAs are
{*}HDFS-17478{*}: Avoid creation of AccessControlEnforcer object for every call
to the authorizer, and
{*}HDFS-17500{*}: Provide operation name consistently in the caller-context
provided to checkPermissionWithContext() API.
Ranger authorizer is updated to leverage this context to optimize authorization
calls for the RPC. In particular, the following RPC operations' authorization
logic is updated.
List of operations with optimized authorization checks.
# Create file: operation name “create”
# Rename file: operation name “rename”
# Delete file: operation name “delete”
# Create directory: operation name “mkdirs”
# List directory contents: operation name “listStatus”
# Rename directory: operation name “rename”
# Delete directory: operation name “delete”
# Get Encryption Zone for a directory: operation name “getEZForPath”
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
