Implement Authorizer #400
Labels
changelog/crd-change
Any issue that changes a CRD (breaking and non-breaking changes) should get this label
changelog/highlight
Items worth mentioning in the Platform changelog
release/2024-03
In order to allow authorizing HDFS access requests with OPA, we need to implement a component to run inside of HDFS and forward requests to OPA, this is a principle very similar to the ones we currently use in Kafka, Druid and which is being merged in upstream Trino as well.
There is some code at https://github.com/stackabletech/hdfs-opa-authorizer where I have played around a bit, but none of this should be taken as gospel, if it seems weird then that is because it is weird and wasn't thought through!
The authorizer should implement HDFS' internal authorizer interface, serialize the relevant information from the context and forward it to a configurable OPA server.
Configuration could either be done via the HDFS config mechanism or in a first stage via environment variables.
Tasks
The text was updated successfully, but these errors were encountered: