[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Sun, 17 Aug 2014 10:36:29 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100002#comment-14100002
 ] 

Alejandro Abdelnur commented on HDFS-6826:
------------------------------------------

[~apurtell], cell level is out of scope from this proposal. This proposal 
focuses on providing 'synchronized' authorization between data entities and the 
associated files for the use cases where the files fully belong to a single 
data entity. If a file contains data for multiple data entities (Hbase cell, 
columns of a CSV file mapped to a HiveMetaStore table), it is not possible to 
map authorization to a file in a secure way (enforced by HDFS; you could 
enforce that a client lib level, but a modified client lib will give you access 
to the whole file).

My take is that, in the case of authorization at cell level, this will always 
remain in HBase. Otherwise, we would require an authorization source with the 
scalability of HBase and with more performance than HBase.

> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, 
> HDFS-6826v3.patch, HDFSPluggableAuthorizationProposal-v2.pdf, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to