[
https://issues.apache.org/jira/browse/HADOOP-1701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520340
]
Christophe Taton commented on HADOOP-1701:
------------------------------------------
Some answers:
2) To keep the changes small, we do not implement groups for now (owner +
others only)
3) I'll have a look on this. One concern during the design of this has been to
provide an extensible infrastructure for authentication and authorization, with
a first attempt to provide simplified POSIX permissions. Providing new/other
authorization mechanisms is (to my mind) very easy with the given
infrastructure (you have to extend the HFilePermission class that will be
attached to INodes and to write your own Policy provider).
4) When upgrading from a previous HDFS without permissions, the default is that
files are owner by root and their permissions are rwx---rwx.
Moreover, all entities (e.g. Fsck, JSP pages) will run as root in a first step.
There are get/setPermissions() operation that use POSIXFilePermissions
parameters (contains the owner id and the file mode).
The sticky bit is also not implemented yet (this is a functionality I really
need though).
> Provide a simple authentication service and a user management service
> ---------------------------------------------------------------------
>
> Key: HADOOP-1701
> URL: https://issues.apache.org/jira/browse/HADOOP-1701
> Project: Hadoop
> Issue Type: New Feature
> Reporter: Tsz Wo (Nicholas), SZE
> Assignee: Tsz Wo (Nicholas), SZE
> Attachments: 1701_20070815.patch, users.txt
>
>
> In HADOOP-1298, we want to add user information and permission to the file
> system. It requires an authentication service and a user management service.
> We should provide a framework and a simple implementation in issue and
> extend it later. As discussed in HADOOP-1298, the framework should be
> extensible and pluggable.
> - Extensible: possible to extend the framework to the other parts (e.g.
> map-reduce) of Hadoop.
> - Pluggable: can easily switch security implementations. Below is a diagram
> borrowed from Java.
> !http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
> - Implement a Hadoop authentication center (HAC). In the first step, the
> mechanism of HAC is very simple, it keeps track a list of usernames (we only
> support users, will work on other principals later) in HAC and verify
> username in user login (yeah, no password). HAC can run inside NameNode or
> run as a stand alone server. We will probably use Kerberos to provide more
> sophisticated authentication service.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
