Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-4348

Adding service-level authorization to Hadoop

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.20.0
    • security
    • None


      Service-level authorization is the initial checking done by a Hadoop service to find out if a connecting client is a pre-defined user of that service. If not, the connection or service request will be declined. This feature allows services to limit access to a clearly defined group of users. For example, service-level authorization allows "world-readable" files on a HDFS cluster to be readable only by the pre-defined users of that cluster, not by anyone who can connect to the cluster. It also allows a M/R cluster to define its group of users so that only those users can submit jobs to it.

      Here is an initial list of requirements I came up with.

      1. Users of a cluster is defined by a flat list of usernames and groups. A client is a user of the cluster if and only if her username is listed in the flat list or one of her groups is explicitly listed in the flat list. Nested groups are not supported.

      2. The flat list is stored in a conf file and pushed to every cluster node so that services can access them.

      3. Services will monitor the modification of the conf file periodically (5 mins interval by default) and reload the list if needed.

      4. Checking against the flat list is done as early as possible and before any other authorization checking. Both HDFS and M/R clusters will implement this feature.

      5. This feature can be switched off and is off by default.

      I'm aware of interests in pulling user data from LDAP. For this JIRA, I suggest we implement it using a conf file. Additional data sources may be supported via new JIRA's.


        1. HADOOP-4348_0_20081022.patch
          46 kB
          Arun Murthy
        2. jaas_service_v1.patch
          29 kB
          Enis Soztutar
        3. jaas_service_v2.patch
          102 kB
          Enis Soztutar
        4. jaas_service_v3.patch
          139 kB
          Enis Soztutar
        5. ServiceLevelAuthorization.pdf
          45 kB
          Arun Murthy
        6. HADOOP-4348_1_20081201.patch
          87 kB
          Arun Murthy
        7. ServiceLevelAuthorization.pdf
          48 kB
          Arun Murthy
        8. HADOOP-4348_2_20081202.patch
          101 kB
          Arun Murthy
        9. HADOOP-4348_3_20081204.patch
          104 kB
          Arun Murthy
        10. HADOOP-4348_4_20081205.patch
          132 kB
          Arun Murthy
        11. HADOOP-4348_5_20081206.patch
          133 kB
          Arun Murthy
        12. HADOOP-4348_6_20081209.patch
          159 kB
          Arun Murthy
        13. HADOOP-4348_7_20081210.patch
          159 kB
          Arun Murthy
        14. HADOOP-4348_7_20081210.patch
          159 kB
          Arun Murthy
        15. HADOOP-4348_7_20081210.patch
          159 kB
          Arun Murthy

        Issue Links


          This comment will be Viewable by All Users Viewable by All Users


            acmurthy Arun Murthy
            kzhang Kan Zhang
            0 Vote for this issue
            18 Start watching this issue




                Issue deployment