[
https://issues.apache.org/jira/browse/HDFS-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838046#comment-13838046
]
Haohui Mai commented on HDFS-5569:
----------------------------------
[~farisa], I think I'm still missing which types of objects that you want to
have authorization. In HDFS / WebHDFS, I'm assuming that the objects are files,
that is, certain principals can only access certain files. Let's say you have a
file foo in hdfs with the following permission:
{noformat}
adam:group rw----- foo
{noformat}
HDFS enforces that you can read and write to the file foo only if you're the
user adam. WebHDFS is just a gateway of HDFS, which means that the same
permission models apply.
You can only access the file via WebHDFS only if you prove your identity as the
user adam through Kerberos / spnego.
If someone fails to show he / she is the user adam, he'll get a 401 when he /
she is using WebHDFS to access the file.
Does it address your concerns?
> WebHDFS should support a deny/allow list for data access
> --------------------------------------------------------
>
> Key: HDFS-5569
> URL: https://issues.apache.org/jira/browse/HDFS-5569
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: webhdfs
> Reporter: Adam Faris
> Labels: features
>
> Currently we can't restrict what networks are allowed to transfer data using
> WebHDFS. Obviously we can use firewalls to block ports, but this can be
> complicated and problematic to maintain. Additionally, because all the jetty
> servlets run inside the same container, blocking access to jetty to prevent
> WebHDFS transfers also blocks the other servlets running inside that same
> jetty container.
> I am requesting a deny/allow feature be added to WebHDFS. This is already
> done with the Apache HTTPD server, and is what I'd like to see the deny/allow
> list modeled after. Thanks.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
