[
https://issues.apache.org/jira/browse/HDFS-6826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14376429#comment-14376429
]
Jitendra Nath Pandey commented on HDFS-6826:
--------------------------------------------
Thanks for the quick turn around, [~asuresh].
The latest patch looks pretty good and works for us.
I want to point out that the API
{{public AccessControlEnforcer
getExternalAccessControlEnforcer(AccessControlEnforcer defaultEnforcer)}}
assumes a one to one mapping between external enforcer and the default
enforcer. The {{FSPermissionChecker}} is the default enforcer in this case
which is instantiated for every request, therefore there is an implicit
assumption that the callerUgi in the {{checkPermission}} API is same as the
callerUgi used to create the {{FSPermissionChecker}} that was passed as the
default enforcer.
Therefore, I would prefer passing the default enforcer to the
{{AccessControlEnforcer#checkPermission}} API as I mentioned in my previous
comment, and not pass it to the {{getExternalAccessControlEnforcer}}.
However, I will still be OK if you prefer to stick to the model of one to one
mapping between default enforcer object and external enforcer object, where
both are tied to the specific file system request.
Please update with your call on the above.
+1 pending the decision on the above.
> Plugin interface to enable delegation of HDFS authorization assertions
> ----------------------------------------------------------------------
>
> Key: HDFS-6826
> URL: https://issues.apache.org/jira/browse/HDFS-6826
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
> Attachments: HDFS-6826-idea.patch, HDFS-6826-idea2.patch,
> HDFS-6826-permchecker.patch, HDFS-6826.10.patch, HDFS-6826.11.patch,
> HDFS-6826.12.patch, HDFS-6826.13.patch, HDFS-6826.14.patch,
> HDFS-6826.15.patch, HDFS-6826.16.patch, HDFS-6826v3.patch, HDFS-6826v4.patch,
> HDFS-6826v5.patch, HDFS-6826v6.patch, HDFS-6826v7.1.patch,
> HDFS-6826v7.2.patch, HDFS-6826v7.3.patch, HDFS-6826v7.4.patch,
> HDFS-6826v7.5.patch, HDFS-6826v7.6.patch, HDFS-6826v7.patch,
> HDFS-6826v8.patch, HDFS-6826v9.patch,
> HDFSPluggableAuthorizationProposal-v2.pdf,
> HDFSPluggableAuthorizationProposal.pdf
>
>
> When Hbase data, HiveMetaStore data or Search data is accessed via services
> (Hbase region servers, HiveServer2, Impala, Solr) the services can enforce
> permissions on corresponding entities (databases, tables, views, columns,
> search collections, documents). It is desirable, when the data is accessed
> directly by users accessing the underlying data files (i.e. from a MapReduce
> job), that the permission of the data files map to the permissions of the
> corresponding data entity (i.e. table, column family or search collection).
> To enable this we need to have the necessary hooks in place in the NameNode
> to delegate authorization to an external system that can map HDFS
> files/directories to data entities and resolve their permissions based on the
> data entities permissions.
> I’ll be posting a design proposal in the next few days.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
