Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-6826

Plugin interface to enable delegation of HDFS authorization assertions

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.4.1
    • 2.7.0
    • security
    • None

    Description

      When Hbase data, HiveMetaStore data or Search data is accessed via services (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce permissions on corresponding entities (databases, tables, views, columns, search collections, documents). It is desirable, when the data is accessed directly by users accessing the underlying data files (i.e. from a MapReduce job), that the permission of the data files map to the permissions of the corresponding data entity (i.e. table, column family or search collection).

      To enable this we need to have the necessary hooks in place in the NameNode to delegate authorization to an external system that can map HDFS files/directories to data entities and resolve their permissions based on the data entities permissions.

      I’ll be posting a design proposal in the next few days.

      Attachments

        1. HDFS-6826.16.patch
          55 kB
          Arun Suresh
        2. HDFS-6826.15.patch
          55 kB
          Arun Suresh
        3. HDFS-6826.14.patch
          57 kB
          Arun Suresh
        4. HDFS-6826.13.patch
          57 kB
          Arun Suresh
        5. HDFS-6826.12.patch
          55 kB
          Arun Suresh
        6. HDFS-6826.11.patch
          39 kB
          Arun Suresh
        7. HDFS-6826.10.patch
          47 kB
          Arun Suresh
        8. HDFS-6826v9.patch
          41 kB
          Alejandro Abdelnur
        9. HDFS-6826-permchecker.patch
          9 kB
          Daryn Sharp
        10. HDFS-6826v7.6.patch
          100 kB
          Alejandro Abdelnur
        11. HDFS-6826v7.5.patch
          43 kB
          Alejandro Abdelnur
        12. HDFS-6826v7.4.patch
          64 kB
          Alejandro Abdelnur
        13. HDFS-6826v7.3.patch
          68 kB
          Alejandro Abdelnur
        14. HDFS-6826v8.patch
          21 kB
          Alejandro Abdelnur
        15. HDFS-6826v7.2.patch
          67 kB
          Alejandro Abdelnur
        16. HDFS-6826v7.1.patch
          67 kB
          Alejandro Abdelnur
        17. HDFS-6826v7.patch
          67 kB
          Alejandro Abdelnur
        18. HDFS-6826v6.patch
          58 kB
          Alejandro Abdelnur
        19. HDFS-6826v5.patch
          52 kB
          Alejandro Abdelnur
        20. HDFS-6826v4.patch
          52 kB
          Alejandro Abdelnur
        21. HDFS-6826v3.patch
          50 kB
          Alejandro Abdelnur
        22. HDFSPluggableAuthorizationProposal-v2.pdf
          136 kB
          Alejandro Abdelnur
        23. HDFS-6826-idea2.patch
          57 kB
          Alejandro Abdelnur
        24. HDFS-6826-idea.patch
          41 kB
          Alejandro Abdelnur
        25. HDFSPluggableAuthorizationProposal.pdf
          136 kB
          Alejandro Abdelnur

        Issue Links

          blocks

          New Feature - A new feature of the product, which has yet to be developed. SENTRY-432 Synchronization of HDFS permissions with Sentry permissions

          • Major - Major loss of function.
          • Resolved
          breaks

          Bug - A problem which impairs or prevents the functions of the product. HDFS-11392 FSPermissionChecker#checkSubAccess should support inodeattribute provider

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HDFS-8091 ACLStatus and XAttributes not properly presented to INodeAttributesProvider before returning to client

          • Major - Major loss of function.
          • Closed
          relates to

          Sub-task - The sub-task of the issue HDFS-10673 Optimize FSPermissionChecker's internal path usage

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. YARN-3100 Make YARN authorization pluggable

          • Major - Major loss of function.
          • Closed

          Activity

            People

              asuresh Arun Suresh
              tucu00 Alejandro Abdelnur
              Votes:
              1 Vote for this issue
              Watchers:
              41 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: