[
https://issues.apache.org/jira/browse/HDFS-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038145#comment-14038145
]
Chris Nauroth commented on HDFS-6570:
-------------------------------------
Before submitting this issue, Thejas and I discussed trying to do this by
running existing {{FileSystem}} APIs inside a {{UserGroupInformation#doAs}}
block. Unfortunately, the permissions enforced by existing APIs do not match
exactly with the requirements of Hive. Also, this could have some unwanted
side effects, particularly for checking write access. This could unnecessarily
hold the write lock and write to the journal. Running an API like {{access}}
inside a {{UserGroupInformation#doAs}} would suit Hive's requirements better.
> add api that enables checking if a user has certain permissions on a file
> -------------------------------------------------------------------------
>
> Key: HDFS-6570
> URL: https://issues.apache.org/jira/browse/HDFS-6570
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Thejas M Nair
> Assignee: Chris Nauroth
>
> For some of the authorization modes in Hive, the servers in Hive check if a
> given user has permissions on a certain file or directory. For example, the
> storage based authorization mode allows hive table metadata to be modified
> only when the user has access to the corresponding table directory on hdfs.
> There are likely to be such use cases outside of Hive as well.
> HDFS does not provide an api for such checks. As a result, the logic to check
> if a user has permissions on a directory gets replicated in Hive. This
> results in duplicate logic and there introduces possibilities for
> inconsistencies in the interpretation of the permission model. This becomes a
> bigger problem with the complexity of ACL logic.
> HDFS should provide an api that provides functionality that is similar to
> access function in unistd.h - http://linux.die.net/man/2/access .
--
This message was sent by Atlassian JIRA
(v6.2#6252)
