Implement Authorizer #400
Assignees
Labels
release/2024-03
release-note/action-required
Denotes a PR that introduces potentially breaking changes that require user action.
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
Comments
1 task
sbernauer
moved this from Refinement: In Progress
to Development: In Progress
in Stackable Engineering
|
I just looked at the Group Mapper and just wanted to give a heads-up that I'd like Java projects to follow the example of the Druid Authorizer in terms of code style and setup etc. (I haven't looked at your code yet) I can help if needed. |
|
Alright 👍 |
This was referenced Feb 9, 2024
sbernauer
moved this from Development: In Progress
to Development: Done
in Stackable Engineering
sbernauer
added
release-note
lfrancke
moved this from Development: Done
to Acceptance: In Progress
in Stackable Engineering
|
Please link to documentation here |
lfrancke
added
the
release-note/action-required
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to allow authorizing HDFS access requests with OPA, we need to implement a component to run inside of HDFS and forward requests to OPA, this is a principle very similar to the ones we currently use in Kafka, Druid and which is being merged in upstream Trino as well.
There is some code at https://github.com/stackabletech/hdfs-opa-authorizer where I have played around a bit, but none of this should be taken as gospel, if it seems weird then that is because it is weird and wasn't thought through!
The authorizer should implement HDFS' internal authorizer interface, serialize the relevant information from the context and forward it to a configurable OPA server.
Configuration could either be done via the HDFS config mechanism or in a first stage via environment variables.
Tasks
The text was updated successfully, but these errors were encountered: