[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097944#comment-14097944
]
Alejandro Abdelnur edited comment on HDFS-6826 at 8/15/14 5:06 AM:
-------------------------------------------------------------------
Attached is new POC where the FsPermissionChecker has been made an interface,
the original one renamed to DefaultFsPermissionChecker and the plugin creates a
permission checker instance. (the patch is bigger because of the rename, when
committing an svn move would be done to preserve history of the permission
checker)
Then the plugin can do both, replace authz info and replace the permission
check logic.
I've also remove the refresh() call from the plugin. this means that the plugin
does not provide for means to make external call during a filesystem
operation. A proper plugin impl should fetch all authz info async from fs
operations.
was (Author: tucu00):
attach is new POC where the FsPermissionChecker has been made an interface, the
original one renamed to DefaultFsPermissionChecker and the plugin creates a
permission checker instance. (the patch is bigger because of the rename, when
committing an svn move would be done to preserve history of the permission
checker)
then the plugin can do both, replace authz info and replace the permission
check logic.
I've also remove the refresh() call from the plugin. this means that the plugin
does not provide for means to make external call during a filesystem
operation. A proper plugin impl should fetch all authz info async from fs
operations.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
