[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14101402#comment-14101402
]
Jing Zhao commented on HDFS-6826:
---------------------------------
bq. I think we don't need to expose snapshotId. We can assume that this plugin
will be invoked after the path has been resolved and INodeAuthorizationInfo is
populated accordingly. The external implementations may not be able to track
snapshotId, they should just use the full path.
Yes, I agree with [~jnp] here. INodeAuthorizationInfo etc. only needs to handle
information after path resolving thus snapshot Id should not be included in the
API.
bq. we could implement INodeAuthorizationInfo to encapsulate the snapshotId and
the INode
Note that the class SnapshotCopy is a subclass of INodeAttributes. Thus I guess
a simpler way here can be to let INodeAttributes implement
INodeAuthorizationInfo. But one issue here is how to support {{getFullPath}}
for snapshot inode, since it can be very expensive to get the full path for an
inode that only exists in snapshots. It will make life easier if we can remove
it from INodeAuthorizationInfo.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch,
> HDFS-6826v3.patch, HDFS-6826v4.patch,
> HDFSPluggableAuthorizationProposal-v2.pdf,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
