Description
When Hbase data, HiveMetaStore data or Search data is accessed via services (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce permissions on corresponding entities (databases, tables, views, columns, search collections, documents). It is desirable, when the data is accessed directly by users accessing the underlying data files (i.e. from a MapReduce job), that the permission of the data files map to the permissions of the corresponding data entity (i.e. table, column family or search collection).
To enable this we need to have the necessary hooks in place in the NameNode to delegate authorization to an external system that can map HDFS files/directories to data entities and resolve their permissions based on the data entities permissions.
I’ll be posting a design proposal in the next few days.
Attachments
Attachments
Issue Links
- blocks
-
SENTRY-432 Synchronization of HDFS permissions with Sentry permissions
- Resolved
- breaks
-
HDFS-11392 FSPermissionChecker#checkSubAccess should support inodeattribute provider
- Open
- is related to
-
HDFS-8091 ACLStatus and XAttributes not properly presented to INodeAttributesProvider before returning to client
- Closed
- relates to
-
HDFS-10673 Optimize FSPermissionChecker's internal path usage
- Resolved
-
YARN-3100 Make YARN authorization pluggable
- Closed