Versions Compared

Old Version 9

changes.mady.by.user Bhooshan Mogal

Saved on

compared with

New Version Current

changes.mady.by.user Bhooshan Mogal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

This page documents various scenarios for security use cases supported in 3.5. The scenarios below apply to the following combinations of security:

...

  1. Client --> Router HTTP: createNamespace(nsName, nsConfig)
  2. Router --> AppFabric HTTP: createNamespace(nsName, nsConfig, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> Authorizer Thrift: grant(namespace, SecurityRequestContext.userId, ALL)
  5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
  6. DatasetServiceClient --> DatasetService HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
  7. DatasetService --> AuthEnforcerresult = filter(dataset, SecurityRequestContext.userId)        (info) This will always be non-empty, because of the system principal
  8. DatasetService --> DatasetServiceClient HTTP —> AppFabric: MDS
  9. AppFabric --> MDS: store(namespace)
  10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, createNamespace(namespaceMeta))     (info) This will only check for access for custom mappings, but will create otherwise
  11. AppFabric —> AppFabric: !result ? revoke(namespace) && NamespaceCannotBeCreatedException 
  12. AppFabric --> Router --> Client HTTPresult

...

  1. Client --> Router HTTPdeleteNamespace(nsName)
  2. Router --> AppFabric HTTP: deleteNamespace(nsName, SecurityRequestContext.userId)
  3. AppFabric --> AuthEnforcer: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
  4. AppFabric --> Authorizer Thriftrevoke(namespace, SecurityRequestContext.userId, ALL)
  5. AppFabric --> DatasetServiceClient: getDataset(app.meta)
  6. DatasetServiceClient --> DatasetService HTTP: getDataset(app.meta, Header(CDAP-UserId=Principal.SYSTEM))
  7. DatasetService --> AuthEnforcer: result = filter(dataset, SecurityRequestContext.userId)        (info) This will always be non-empty, because of the system principal
  8. DatasetService --> DatasetServiceClient HTTP —> AppFabric: MDS
  9. AppFabric --> MDS: delete(namespace)
  10. AppFabric --> StorageProviderNsAdmin: result = doAs(nsName, delete(namespaceMeta))              (info) This will only check for access for custom mappings, but will delete otherwise
  11. AppFabric --> Authorizer Thriftrevoke(namespace, SecurityRequestContext.userId, ALL)
  12. AppFabric —> AppFabric: !result ? NamespaceCannotBeDeletedException 
  13. AppFabric --> Router --> Client HTTPresult

...

Create operations on datasets and streams can create tables in Hive if explore is enabled. Similarly, delete can drop and truncate tables.

Authorization Cache Updates

Scratch Pad

a) Authorization

...