[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094130#comment-14094130
]
Daryn Sharp commented on HDFS-6826:
-----------------------------------
The critical question is whether a NN backend should be used to solve external
app-level authz issues. The NN is a filesystem. It has permissions and ACLs
which should meet the authz requirements. Using external backend rapidly
becomes complicated to do "correctly" in the respect of not impacting "real" NN
operations.
If permissions/ACLs aren't ideal, then how about a front-end authz manager? A
MITM proxy service may be a cleaner approach that doesn't impact the NN. Using
hive as an example, all hive files are owned and accessible only by the hive
user. The hive server runs a rpc service implementing the NN's ClientProtocol.
The service applies custom authz checks for hive files before allowing access.
The main issue is likely file r/w access which is governed by block tokens.
Block tokens are user-agnostic (don't get confused by the dead code for user
checks) so the hive server can obtain block tokens usable by dfsclients. Hive
tasks just access the hive files via hdfs://hive-nn/ instead of hdfs://nn/.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HDFS-6826-idea.patch,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
