Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-1491 Documentation for Security features
  3. CDAP-6847

Document storage provider permissions requirements when cross namespace access is performed when impersonation is used

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.0
    • Component/s: Docs, Security
    • Labels:
    • Rank:
      1|hzzilr:

      Description

      When cross namespace access is not used, the permissions in HDFS and HBase is quite straightforward. For example, namespace user should have full permissions on HDFS namespace but no one else needs to have any permission on that (0700). And in Hbase the user needs to have full access ('RWXCA') to the namespace but no one else needs to have permission on that. But when it comes to cross namespace access, the user in namespace2 who is trying to access (read or write) streams/dataset in another namespace. So we need to document how the permissions on HDFS and HBase needs to be relaxed now to allow such cross namespace access. From my initial testing, it looks like Hbase requires 'RWXC' for the second user and for HDFS the permission needs to be 0755. More testing and documentation is required especially since this needs to be performed by CDAP users manually until push down of permissions to Storage providers is done by CDAP automatically.

        Attachments

          Activity

            People

            • Assignee:
              bhooshan Bhooshan Mogal
              Reporter:
              gokul Gokul Gunasekaran
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: