Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-4359

Access Token: Support for data access authorization checking on DataNodes

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.20.0
    • Fix Version/s: 0.21.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Introduced access tokens as capabilities for accessing datanodes. This change to internal protocols does not affect client applications.

      Description

      Currently, DataNodes do not enforce any access control on accesses to its data blocks. This makes it possible for an unauthorized client to read a data block as long as she can supply its block ID. It's also possible for anyone to write arbitrary data blocks to DataNodes.

      When users request file accesses on the NameNode, file permission checking takes place. Authorization decisions are made with regard to whether the requested accesses to those files (and implicitly, to their corresponding data blocks) are permitted. However, when it comes to subsequent data block accesses on the DataNodes, those authorization decisions are not made available to the DataNodes and consequently, such accesses are not verified. Datanodes are not capable of reaching those decisions independently since they don't have concepts of files, let alone file permissions.

      In order to implement data access policies consistently across HDFS services, there is a need for a mechanism by which authorization decisions made on the NameNode can be faithfully enforced on the DataNodes and any unauthorized access is declined.

        Attachments

        1. 4359.patch
          2 kB
          Devaraj Das
        2. AccessTokenDesign1.pdf
          79 kB
          Kan Zhang
        3. at13.patch
          63 kB
          Kan Zhang
        4. at19.patch
          82 kB
          Kan Zhang
        5. at31.patch
          97 kB
          Kan Zhang
        6. at33.patch
          97 kB
          Kan Zhang
        7. at34.patch
          97 kB
          Kan Zhang
        8. at35.patch
          97 kB
          Kan Zhang
        9. at36.patch
          97 kB
          Kan Zhang
        10. at37.patch
          99 kB
          Kan Zhang
        11. at38.patch
          99 kB
          Kan Zhang
        12. at39.patch
          99 kB
          Kan Zhang
        13. at40.patch
          99 kB
          Kan Zhang
        14. HADOOP-4359-0_20.2.patch
          102 kB
          Jitendra Nath Pandey

          Issue Links

            Activity

              People

              • Assignee:
                kzhang Kan Zhang
                Reporter:
                kzhang Kan Zhang
              • Votes:
                0 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: