You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Lefty Leverenz (JIRA)" <ji...@apache.org> on 2014/11/11 03:31:34 UTC

[jira] [Commented] (HIVE-7209) allow metastore authorization api calls to be restricted to certain invokers

    [ https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14205841#comment-14205841 ] 

Lefty Leverenz commented on HIVE-7209:
--------------------------------------

Doc notes:  The description of *hive.security.metastore.authorization.manager* needs to be updated in the wiki (with version information, and keeping some extra information not found in HiveConf.java).

* [Configuration Properties -- hive.security.metastore.authorization.manager | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.security.metastore.authorization.manager]

Other than that, HIVE-7759 will add general documentation for this feature with a section in the SQL standard authorization doc about CLI behavior with SQL standard authorization turned on.

* [SQL Standard Based Hive Authorization | https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization]

> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-7209
>                 URL: https://issues.apache.org/jira/browse/HIVE-7209
>             Project: Hive
>          Issue Type: Bug
>          Components: Authentication, Metastore
>            Reporter: Thejas M Nair
>            Assignee: Thejas M Nair
>              Labels: TODOC14
>             Fix For: 0.14.0
>
>         Attachments: HIVE-7209.1.patch, HIVE-7209.2.patch, HIVE-7209.3.patch, HIVE-7209.4.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that modify the authorization policy. 
> The users who can make direct metastore api calls in a secure cluster configuration are usually the 'cluster insiders' such as Pig and MR users, who are not (securely) covered by the metastore based authorization policy. But it makes sense to disallow access from such users as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)