You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Erik.fang (JIRA)" <ji...@apache.org> on 2013/08/22 09:06:51 UTC
[jira] [Created] (HDFS-5126) implement authorized HDFS user
impersonation
Erik.fang created HDFS-5126:
-------------------------------
Summary: implement authorized HDFS user impersonation
Key: HDFS-5126
URL: https://issues.apache.org/jira/browse/HDFS-5126
Project: Hadoop HDFS
Issue Type: New Feature
Components: security
Reporter: Erik.fang
Priority: Minor
I propose a authorized user impersonate mechanism for fine grain (path level) access control in HDFS.
In short, owner of data encrypt the path with a shared secret, and other user use the encrypted path to call namenode service (create/read/delete file). Namenode decrypt the path to validate the access and execute the operation as owner of the data if valid. It consists of:
1. a ACLFileSystem extends DistributedFileSystem, which wrap the create/open/delete/etc. RPC calls, and send the encrypted path to namenode
2. authenticator(embedded in namenode), which decrypt the path and execute the call as owner of the data
With authorized user impersonate, we can develop a authorization manager to check whether a path level access is permitted.
A detailed explanation can be found in maillist:
http://mail-archives.apache.org/mod_mbox/hive-dev/201308.mbox/%3CCACkoVCxm+=44kB_4eWtepHe_knkdm0Uzyh=0q-vfybYU8eLQxw@mail.gmail.com%3E
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira