Hadoop

Search this site
Welcome‎ > ‎HDFS over WebDav‎ > ‎

Authentication and permissions

We activated support of authentication into WebDAV integrated initially into jack/jackrabbit project. It used Jetty's native mechanism to authenticate clients with HTTP Basic Authentication. The WebDAV server initiates a user name/password dialog client side. Once recieved, user credentials are stored in a plain text file on the server box (see file ./conf/account_properties in the WebDAV demo server tarball). The format of credentials file is simple: one identity entry per line. Each line begins with username followed by colon and password (user:pass). Password can be stored in clear text, obfuscated or checksummed. In case we don't have a clear password, our checksum should contain the prefix of the encryption method used followed by the checksum itself. You can use the class org.mortbay.util.Password to generate all sorts of passwords. Password entry is usually followed by a comma, then a list of comma-separated user roles. This mechanism could easily be extended for use in a centralized database. More information about authentication support in Jetty could be found at http://docs.codehaus.org/display/JETTY/JAAS .

We also implemented support of HDFS-side permissions by WebDAV (more details can be found at http://hadoop.apache.org/core/docs/r0.16.4/hdfs_permissions_guide.html). Once a client has authenticated successfully, our WebDAV server gets all clients 'roles' from credentials file. These roles are treated as Unix groups the client belongs to. When the WebDAV server addresses any HDFS resource, it uses client's user name and client's roles to build the 'UnixUserGroupInformation' object internally with which it will try to access the HDFS resources.Our WebDAV client will get back access attributes for specified HDFS resource and uses these attributes to control any following access to the resource.

Currently HDFS itself has no abilities to check the correctness of client's identity provided to the Hadoop library (e.g. no means to identify user by ssh public key), so WebDAV cannot guarantee consistency of your data.

Here is full list of user_name/password/roles to play with permissions using our demo server:
  • admin / adminpwd, UNIX groups: admin,webdav
  • guest / guestpwd, UNIX groups: guest,webdav
  • demoa / demo, UNIX groups: demogroup,webdav
  • demob / demo, UNIX groups: demogroup,webdav
  • democ / demo, UNIX groups: demogroup,webdav
All these users should have access to /user directory only. For your convenience below is the list of all subdirectories inside /user dir, with efficient permission rights.

/user/admin     <dir>    2008-08-28 05:29        rwxr-x---       admin   supergroup
/user/demoa     <dir>    2008-08-28 07:11        rwxr-xr-x       demoa   demogroup
/user/demob     <dir>    2008-08-28 05:29        rwxr-xr-x       demob   demogroup
/user/democ     <dir>    2008-08-28 05:29        rwxrwxr-x       democ   demogroup
/user/guest     <dir>    2008-08-28 05:29        rwxrwxrwx       guest   supergroup
/user/hadoop    <dir>    2008-08-28 05:36        rwxr-x---       hadoop  supergroup
/user/root      <dir>    2008-07-28 08:54        rwxr-x---       root    supergroup

See how to configure permission for your own WebDAV server here.