[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Fri, 15 Aug 2014 16:46:51 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14099357#comment-14099357
 ] 

Selvamohan Neethiraj commented on HDFS-6826:
--------------------------------------------

Alejandro,

The use case for externalizing the authorization:  If a enterprise keeps their 
metadata details such as what is "confidential" in a separate system and 
provide access control based on the metadata, it is important to have a 
plug-able authorization module, which can use the metadata from external system 
and provide authorization to users/groups based on their own logic. I do not 
expect every organization to have a custom/plug-able authorization. But, this 
would allow security vendors and system integrators to expand security scope 
for hdfs.

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, 
> HDFS-6826v3.patch, HDFSPluggableAuthorizationProposal-v2.pdf, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to