[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Wed, 13 Aug 2014 11:32:27 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095880#comment-14095880
 ] 

Daryn Sharp commented on HDFS-6826:
-----------------------------------

Arg, yesterday's jira issues apparently caused my comment to be lost.

The group mapping authz is a bit different.  It's not context sensitive, as in 
a user uniformly belongs to groups across the whole namesystem.  Path-based 
context sensitivity is adding hidden magic to a filesystem.  How will the 
special magic be represented to the user confused by why the perms/ACLs aren't 
being honored?  How will permission apis and FsShell interact with the magic?

Instead of trying to hack special behavior for a specific use case into the NN, 
how about leveraging what's there.   A cleaner way may be for a custom group 
mapping to fabricate groups something like "hive:table" or "hive:table:column". 
  No code changes in the NN.  Everything is contained in the custom groups 
mapping.

I still think leveraging ACLs is the best way to go...

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to