[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14109835#comment-14109835
]
Alejandro Abdelnur commented on HDFS-6826:
------------------------------------------
@daryn,
bq. When a partition is added to a hive table, the hive server moves the file
into a directory representing the table and chowns the file to itself.
To do the chown it would require the HiveMetaStore to be a hdfs superuser.
AFAIK, ACLs are not inherited at permission check time. They are inherited at
creation time if the parent has DEFAULT ACLs. So, the chown would have to be
done recursively. And, if somebody adds a file to a partition dir later on, it
would not have the right settings.
And still this is not solving my 'single source of authz info' as I could still
set things in HDFS or in Sentry.
I'm trying to come up with a model that enables authz to be delegated if the
file/dir belongs to a table.
Please let me know if you want to do another synchronous discussion round.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch,
> HDFS-6826v3.patch, HDFS-6826v4.patch, HDFS-6826v5.patch, HDFS-6826v6.patch,
> HDFS-6826v7.1.patch, HDFS-6826v7.2.patch, HDFS-6826v7.patch,
> HDFS-6826v8.patch, HDFSPluggableAuthorizationProposal-v2.pdf,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
