[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14109891#comment-14109891
]
Daryn Sharp commented on HDFS-6826:
-----------------------------------
bq. To do the chown it would require the HiveMetaStore to be a hdfs superuser
Sorry I wasn't clear but that wasn't my intent. By "limited chown
capabilities" I meant modifying chown to be usable by a non-superuser with
appropriate restrictions. Think of it as a sudoers thing.
Basically, /hive/table1 represents the table and is owned by hive:somegroup
with rwxr-x--- . The group and/or ACLs embody the table grants. Changing
grants only requires modifying the table1 directory itself, not its contents.
/hive/table1/part1..part20 are owned by hive:hive with perms r--r--r-- . The
user/group/ACLs don't really matter because the directory is controlling access
to the table's partitions. Now when a user wants to add a partition, it's
moved to /hive/table1 and chown'ed to owner hive with r--r--r--.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch,
> HDFS-6826v3.patch, HDFS-6826v4.patch, HDFS-6826v5.patch, HDFS-6826v6.patch,
> HDFS-6826v7.1.patch, HDFS-6826v7.2.patch, HDFS-6826v7.patch,
> HDFS-6826v8.patch, HDFSPluggableAuthorizationProposal-v2.pdf,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
