You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Tsz Wo (Nicholas), SZE (JIRA)" <ji...@apache.org> on 2007/07/26 20:14:04 UTC
[jira] Issue Comment Edited: (HADOOP-1298) adding user info to file
[ https://issues.apache.org/jira/browse/HADOOP-1298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515477 ]
Tsz Wo (Nicholas), SZE edited comment on HADOOP-1298 at 7/26/07 11:12 AM:
--------------------------------------------------------------------------
This issue is around for a long time. The main reason is the previous patches involve too many components in th system. I suggest to make a simple core patch, which adds user (will work on "group" and "other" later) information to HDFS for preventing accidental file access. We also should keep in mind that the framework should be extensible and pluggable.
- Extensible: possible to extend the framework to the other parts (e.g. map-reduce) of Hadoop.
- Pluggable: can easily switch security implementations. Below is a diagram borrowed from Java.
!http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
- Implement a Hadoop authentication center (HAC). In the first step, the mechanism of HAC is very simple, it keeps track a list of usernames (we only support users, will work on other principals later) in HAC and verify username in user login (yeah, no password). HAC is running inside NameNode but should be easily run as a stand alone server (we will probably replace it with Kerberos later).
- NameNode keeps track file permissions and enforces access control.
layout20070725.patch is a class layout for Hadoop principals and permissions.
was:
This issue is around for a long time. The main reason is the previous patches involve too many components in th system. I suggest to make a simple core patch, which adds user (will work on "group" and "other" later) information to HDFS for preventing accidental file access. We also should keep in mind that the framework should be extensible and pluggable.
- Extensible: possible to extend the framework to the other parts (e.g. map-reduce) of Hadoop.
- Pluggable: can easily switch security implementations. Below is a diagram borrowed from Java.
!http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
- Implement a Hadoop authentication center (HAC). In the first step, the mechanism of HAC is very simple, we keep track a list of usernames (we only support users, will work on other principals later) in HAC and verify it in user login (yeah, no password). HAC is running inside NameNode but should be easily run as a stand alone server (we will probably replace it with Kerberos later).
- NameNode keeps track file permissions and enforces access control.
layout20070725.patch is a class layout for Hadoop principals and permissions.
> adding user info to file
> ------------------------
>
> Key: HADOOP-1298
> URL: https://issues.apache.org/jira/browse/HADOOP-1298
> Project: Hadoop
> Issue Type: New Feature
> Components: dfs, fs
> Reporter: Kurtis Heimerl
> Fix For: 0.15.0
>
> Attachments: fsdirectory-cleanup-20070725-1351.patch, hadoop-dev-20070720-1633.patch.gz, hadoop-dev-20070724-0020.patch.gz, hadoop-dev-20070724-2349.patch.gz, hadoop-user-munncha.patch, hadoop-user-munncha.patch, hadoop-user-munncha.patch, hadoop-user-munncha.patch10, hadoop-user-munncha.patch11, hadoop-user-munncha.patch12, hadoop-user-munncha.patch13, hadoop-user-munncha.patch14, hadoop-user-munncha.patch15, hadoop-user-munncha.patch16, hadoop-user-munncha.patch17, hadoop-user-munncha.patch4, hadoop-user-munncha.patch5, hadoop-user-munncha.patch6, hadoop-user-munncha.patch7, hadoop-user-munncha.patch8, hadoop-user-munncha.patch9, hdfs-access-control.patch.gz, layout20070725.patch
>
>
> I'm working on adding a permissions model to hadoop's DFS. The first step is this change, which associates user info with files. Following this I'll assoicate permissions info, then block methods based on that user info, then authorization of the user info.
> So, right now i've implemented adding user info to files. I'm looking for feedback before I clean this up and make it offical.
> I wasn't sure what release, i'm working off trunk.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.