You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hcatalog-commits@incubator.apache.org by kh...@apache.org on 2012/08/30 11:19:14 UTC

svn commit: r1378888 - in /incubator/hcatalog/trunk: CHANGES.txt src/docs/src/documentation/content/xdocs/authorization.xml

Author: khorgath
Date: Thu Aug 30 11:19:14 2012
New Revision: 1378888

URL: http://svn.apache.org/viewvc?rev=1378888&view=rev
Log:
HCATALOG-485 Document that storage-based security ignores GRANT/REVOKE statements (lefty via khorgath)

Modified:
    incubator/hcatalog/trunk/CHANGES.txt
    incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml

Modified: incubator/hcatalog/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/incubator/hcatalog/trunk/CHANGES.txt?rev=1378888&r1=1378887&r2=1378888&view=diff
==============================================================================
--- incubator/hcatalog/trunk/CHANGES.txt (original)
+++ incubator/hcatalog/trunk/CHANGES.txt Thu Aug 30 11:19:14 2012
@@ -38,6 +38,8 @@ Trunk (unreleased changes)
   HCAT-427 Document storage-based authorization (lefty via gates)
 
   IMPROVEMENTS
+  HCAT-485 Document that storage-based security ignores GRANT/REVOKE statements (lefty via khorgath)
+
   HCAT-442 Documentation needs update for using HCatalog with pig (lefty via gates)
 
   HCAT-482 Document -libjars from HDFS for HCat with MapReduce (lefty via gates)

Modified: incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml
URL: http://svn.apache.org/viewvc/incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml?rev=1378888&r1=1378887&r2=1378888&view=diff
==============================================================================
--- incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml (original)
+++ incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml Thu Aug 30 11:19:14 2012
@@ -28,7 +28,7 @@
   <section>
   <title>Default Authorization Model of Hive</title>
   
-<p>The default authorization model of Hive supports a traditional RDBMS style of authorization based on users, groups and roles and granting them permissions to do operations on database or table. It is descibed in more detail in <a href="http://wiki.apache.org/hadoop/Hive/LanguageManual+Authorization">https://cwiki.apache.org/Hive/languagemanual-auth.html</a>.</p>
+<p>The default authorization model of Hive supports a traditional RDBMS style of authorization based on users, groups and roles and granting them permissions to do operations on database or table. It is described in more detail in <a href="http://wiki.apache.org/hadoop/Hive/LanguageManual+Authorization">Hive Authorization</a>.</p>
 
 <p>This RDBMS style of authorization is not very suitable for the typical use cases in Hadoop because of the following differences in implementation:</p>
 
@@ -66,6 +66,11 @@
 <p>Details of HDFS permissions are given here: 
 <a href="http://hadoop.apache.org/common/docs/r1.0.2/hdfs_permissions_guide.html">HDFS Permissions Guide</a>.</p>
 
+  <!-- ============================================= -->
+
+  <section>
+  <title>Minimum Permissions</title>
+
 <p>The following table shows the <strong>minimum</strong> permissions required for Hive operations under this authorization model:</p>
 <p>&nbsp;</p>
 
@@ -147,6 +152,18 @@
 
   </section>
 
+  <!-- ============================================= -->
+
+  <section>
+  <title>Unused DDL for Permissions</title>
+
+<p>DDL statements that manage permissions for Hive's default authorization model do not have any effect on permissions in the storage-based model.</p>
+
+<p>All GRANT and REVOKE statements for users, groups, and roles are ignored. See the <a href="authorization.html#Known+Issues">Known Issues</a> section below.</p>
+
+  </section>
+  </section>
+
   <!-- ==================================================================== -->
 
   <section>
@@ -201,6 +218,7 @@
   <li>The current implementation of Hive performs the authorization checks in the client. This means that malicious users can circumvent these checks.</li>
   <li>A different authorization provider (StorageDelegationAuthorizationProvider) needs to be used for working with HBase tables as well. But that is not well tested.</li>
   <li>Partition files and directories added by a Hive query don’t inherit permissions from the table. This means that even if you grant permissions for a group to access a table, new partitions will have read permissions only for the owner, if the default umask for the cluster is configured as such. See <a href="https://issues.apache.org/jira/browse/HIVE-3094">https://issues.apache.org/jira/browse/HIVE-3094</a>. A separate "<code>hdfs chmod</code>" command will be necessary to modify the permissions.</li>
+  <li>Although DDL statements for managing permissions have no effect in storage-based authorization, currently they do not return error messages. See <a href="https://issues.apache.org/jira/browse/HIVE-3010">https://issues.apache.org/jira/browse/HIVE-3010</a>.</li>
 </ol>
 
   </section>