[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Tue, 12 Aug 2014 09:13:41 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094239#comment-14094239
 ] 

Alejandro Abdelnur commented on HDFS-6826:
------------------------------------------

[~daryn],

A proxy NN was one of the alternatives considered before settling for the Authz 
plugin. 

I like it because of the very same reasons you point out.

The concerns with that approach are:

* It is a new service
* It has to support HA
* It will be error prone for users the use of 2 NN URIs:
** One for HDFS authz, another for Hive authz
** A file or directory being added to a Hive table would first be referenced 
via the NN and then via the proxy NN
** Users my add file URIs of the proxy NN in the HiveMetaStore

Regarding the plugin approach. If the plugin does not interact with external 
systems during a filesystem RPC call and just uses inmemory data, that 
addresses your concerns, right?





> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to