[jira] [Updated] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Mon, 18 Aug 2014 15:13:35 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alejandro Abdelnur updated HDFS-6826:
-------------------------------------

    Attachment: HDFS-6826v5.patch

[~jnp],

uploading v5 patch. I've removed the resolveLink. I've added 2 methods to the 
{{INodeAuthorizationInfo}} interface {{getLocalName()}} and {{getParent}}.

IMO, it is up to a plugin to support snapshots or not. The default impl (native 
HDFS) would, the current patch. An impl that does not care, can return current 
authz info for the node regardless of the provided snapshotId. Using the full 
path does not necessary work if supporting snapshots because of rename ops.

Regarding wrapping {{INode}} with a {{INodeAuthorizationInfo}} impl before 
passing  to the plugin, that would require creating a bunch of new objects (the 
wrappers). When crafting the API I've took special care on no creating 
additional objects in the authz methods. Thus, I would ike to keep it like that.


> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, 
> HDFS-6826v3.patch, HDFS-6826v4.patch, HDFS-6826v5.patch, 
> HDFSPluggableAuthorizationProposal-v2.pdf, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to