[jira] [Commented] (HDFS-6826) Plugin interface to enable delegation of HDFS authorization assertions

Tue, 19 Aug 2014 17:47:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14103164#comment-14103164
 ] 

Alejandro Abdelnur commented on HDFS-6826:
------------------------------------------

[~jinzhao],

Wiring the authz plugin to the snapshot lifecycle requires the following 
methods:

* setSnaphostDirs(Map<INode, snapshotID>) // called at start up time, allowing 
the plugin to know existing snapshots
* addSnapshotDir(INode)
* removeSnapshotDir(INode)
* createSnapshot(INode, snapshotID)
* deleteSnapshot(INode, snapshotID)

The authz plugin is given to the SnapshotManager at startup, and the 
SnapshotManager would call these methods in the corresponding snapshot 
operations.

This will allow the authz plugin (if desired) to keep track of snapshots and to 
perform its own snapshot management for authz information.


> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
>                 Key: HDFS-6826
>                 URL: https://issues.apache.org/jira/browse/HDFS-6826
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch, 
> HDFS-6826v3.patch, HDFS-6826v4.patch, HDFS-6826v5.patch, 
> HDFSPluggableAuthorizationProposal-v2.pdf, 
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services 
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce 
> permissions on corresponding entities (databases, tables, views, columns, 
> search collections, documents). It is desirable, when the data is accessed 
> directly by users accessing the underlying data files (i.e. from a MapReduce 
> job), that the permission of the data files map to the permissions of the 
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode 
> to delegate authorization to an external system that can map HDFS 
> files/directories to data entities and resolve their permissions based on the 
> data entities permissions.
> I’ll be posting a design proposal in the next few days.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to