Erik.fang created HDFS-5126:
-------------------------------
Summary: implement authorized HDFS user impersonation
Key: HDFS-5126
URL: https://issues.apache.org/jira/browse/HDFS-5126
Project: Hadoop HDFS
Issue Type: New Feature
Components: security
Reporter: Erik.fang
Priority: Minor
I propose a authorized user impersonate mechanism for fine grain (path level)
access control in HDFS.
In short, owner of data encrypt the path with a shared secret, and other user
use the encrypted path to call namenode service (create/read/delete file).
Namenode decrypt the path to validate the access and execute the operation as
owner of the data if valid. It consists of:
1. a ACLFileSystem extends DistributedFileSystem, which wrap the
create/open/delete/etc. RPC calls, and send the encrypted path to namenode
2. authenticator(embedded in namenode), which decrypt the path and execute the
call as owner of the data
With authorized user impersonate, we can develop a authorization manager to
check whether a path level access is permitted.
A detailed explanation can be found in maillist:
http://mail-archives.apache.org/mod_mbox/hive-dev/201308.mbox/%3CCACkoVCxm+=44kB_4eWtepHe_knkdm0Uzyh=0q-vfybyu8el...@mail.gmail.com%3E
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
