Description
The focus of optimizations described below is to minimize the number of times the Ranger policy-engine is called to authorize a NameNode RPC without modifying the Namenode authorization interface or authorization call sequence.
This optimization is possible as the Namenode calls the authorizer more than once to authorize some RPCs, as observed during the testing. To ensure that the authorizer is provided a consistent context to represent a RPC, some improvements are needed in the Namenode. Related Namenode JIRAs are
HDFS-17478: Avoid creation of AccessControlEnforcer object for every call to the authorizer, and
HDFS-17500: Provide operation name consistently in the caller-context provided to checkPermissionWithContext() API.
Ranger authorizer is updated to leverage this context to optimize authorization calls for the RPC. In particular, the following RPC operations' authorization logic is updated.
List of operations with optimized authorization checks.
- Create file: operation name “create”
- Rename file: operation name “rename”
- Delete file: operation name “delete”
- Create directory: operation name “mkdirs”
- List directory contents: operation name “listStatus”
- Rename directory: operation name “rename”
- Delete directory: operation name “delete”
- Get Encryption Zone for a directory: operation name “getEZForPath”
Attachments
Issue Links
- depends upon
-
HDFS-17478 FSPermissionChecker to avoid obtaining a new AccessControlEnforcer instance before each authz call
- Resolved
-
HDFS-17500 Add missing operation name while authorizing some operations
- Resolved
Patch is available at https://reviews.apache.org/r/75045/