[
https://issues.apache.org/jira/browse/HDFS-5126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13747332#comment-13747332
]
Erik.fang commented on HDFS-5126:
---------------------------------
I will submit a patch for prototype later
> implement authorized HDFS user impersonation
> --------------------------------------------
>
> Key: HDFS-5126
> URL: https://issues.apache.org/jira/browse/HDFS-5126
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Reporter: Erik.fang
> Priority: Minor
> Labels: features, security
>
> I propose a authorized user impersonate mechanism for fine grain (path level)
> access control in HDFS.
> In short, owner of data encrypt the path with a shared secret, and other user
> use the encrypted path to call namenode service (create/read/delete file).
> Namenode decrypt the path to validate the access and execute the operation as
> owner of the data if valid. It consists of:
> 1. a ACLFileSystem extends DistributedFileSystem, which wrap the
> create/open/delete/etc. RPC calls, and send the encrypted path to namenode
> 2. authenticator(embedded in namenode), which decrypt the path and execute
> the call as owner of the data
> With authorized user impersonate, we can develop a authorization manager to
> check whether a path level access is permitted.
> A detailed explanation can be found in maillist:
> http://mail-archives.apache.org/mod_mbox/hive-dev/201308.mbox/%3CCACkoVCxm+=44kB_4eWtepHe_knkdm0Uzyh=0q-vfybyu8el...@mail.gmail.com%3E
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
