[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Mon, 11 Aug 2014 13:23:14 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14093239#comment-14093239
 ] 

Daryn Sharp commented on HDFS-6826:
-----------------------------------

It doesn't matter which or how many paths go through the custom plugin.  Adding 
anything executed in a handler that can block, with or w/o the fsn lock, will 
put the entire NN in jeopardy.

When it comes to problems with a slow external authz:
# Best-worst case is the special authz clients < ipc handlers.  Authz clients 
suffocate the throughput of "normal" clients, DN heartbeats, and block reports 
but the NN limps along.
# Worst-worst case is the number of special authz clients >= ipc handlers.  NN 
is effectively stalled.  If the external authz service is down, and not just 
extremely slow, the latency from connection timeouts will cause the NN to go 
into an overloaded death spiral.

I'll post an alternate approach that should require no client code changes 
shortly.

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to