Implement Authorizer #400
Assignees
Labels
changelog/crd-change
Any issue that changes a CRD (breaking and non-breaking changes) should get this label
changelog/highlight
Items worth mentioning in the Platform changelog
release/2024-03
Comments
1 task
|
I just looked at the Group Mapper and just wanted to give a heads-up that I'd like Java projects to follow the example of the Druid Authorizer in terms of code style and setup etc. (I haven't looked at your code yet) I can help if needed. |
|
Alright 👍 |
This was referenced Feb 9, 2024
sbernauer
added
changelog/highlight
|
Please link to documentation here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to allow authorizing HDFS access requests with OPA, we need to implement a component to run inside of HDFS and forward requests to OPA, this is a principle very similar to the ones we currently use in Kafka, Druid and which is being merged in upstream Trino as well.
There is some code at https://github.com/stackabletech/hdfs-opa-authorizer where I have played around a bit, but none of this should be taken as gospel, if it seems weird then that is because it is weird and wasn't thought through!
The authorizer should implement HDFS' internal authorizer interface, serialize the relevant information from the context and forward it to a configurable OPA server.
Configuration could either be done via the HDFS config mechanism or in a first stage via environment variables.
Tasks
The text was updated successfully, but these errors were encountered: