You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hcatalog-commits@incubator.apache.org by kh...@apache.org on 2012/08/30 11:19:14 UTC
svn commit: r1378888 - in /incubator/hcatalog/trunk: CHANGES.txt
src/docs/src/documentation/content/xdocs/authorization.xml
Author: khorgath
Date: Thu Aug 30 11:19:14 2012
New Revision: 1378888
URL: http://svn.apache.org/viewvc?rev=1378888&view=rev
Log:
HCATALOG-485 Document that storage-based security ignores GRANT/REVOKE statements (lefty via khorgath)
Modified:
incubator/hcatalog/trunk/CHANGES.txt
incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml
Modified: incubator/hcatalog/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/incubator/hcatalog/trunk/CHANGES.txt?rev=1378888&r1=1378887&r2=1378888&view=diff
==============================================================================
--- incubator/hcatalog/trunk/CHANGES.txt (original)
+++ incubator/hcatalog/trunk/CHANGES.txt Thu Aug 30 11:19:14 2012
@@ -38,6 +38,8 @@ Trunk (unreleased changes)
HCAT-427 Document storage-based authorization (lefty via gates)
IMPROVEMENTS
+ HCAT-485 Document that storage-based security ignores GRANT/REVOKE statements (lefty via khorgath)
+
HCAT-442 Documentation needs update for using HCatalog with pig (lefty via gates)
HCAT-482 Document -libjars from HDFS for HCat with MapReduce (lefty via gates)
Modified: incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml
URL: http://svn.apache.org/viewvc/incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml?rev=1378888&r1=1378887&r2=1378888&view=diff
==============================================================================
--- incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml (original)
+++ incubator/hcatalog/trunk/src/docs/src/documentation/content/xdocs/authorization.xml Thu Aug 30 11:19:14 2012
@@ -28,7 +28,7 @@
<section>
<title>Default Authorization Model of Hive</title>
-<p>The default authorization model of Hive supports a traditional RDBMS style of authorization based on users, groups and roles and granting them permissions to do operations on database or table. It is descibed in more detail in <a href="http://wiki.apache.org/hadoop/Hive/LanguageManual+Authorization">https://cwiki.apache.org/Hive/languagemanual-auth.html</a>.</p>
+<p>The default authorization model of Hive supports a traditional RDBMS style of authorization based on users, groups and roles and granting them permissions to do operations on database or table. It is described in more detail in <a href="http://wiki.apache.org/hadoop/Hive/LanguageManual+Authorization">Hive Authorization</a>.</p>
<p>This RDBMS style of authorization is not very suitable for the typical use cases in Hadoop because of the following differences in implementation:</p>
@@ -66,6 +66,11 @@
<p>Details of HDFS permissions are given here:
<a href="http://hadoop.apache.org/common/docs/r1.0.2/hdfs_permissions_guide.html">HDFS Permissions Guide</a>.</p>
+ <!-- ============================================= -->
+
+ <section>
+ <title>Minimum Permissions</title>
+
<p>The following table shows the <strong>minimum</strong> permissions required for Hive operations under this authorization model:</p>
<p> </p>
@@ -147,6 +152,18 @@
</section>
+ <!-- ============================================= -->
+
+ <section>
+ <title>Unused DDL for Permissions</title>
+
+<p>DDL statements that manage permissions for Hive's default authorization model do not have any effect on permissions in the storage-based model.</p>
+
+<p>All GRANT and REVOKE statements for users, groups, and roles are ignored. See the <a href="authorization.html#Known+Issues">Known Issues</a> section below.</p>
+
+ </section>
+ </section>
+
<!-- ==================================================================== -->
<section>
@@ -201,6 +218,7 @@
<li>The current implementation of Hive performs the authorization checks in the client. This means that malicious users can circumvent these checks.</li>
<li>A different authorization provider (StorageDelegationAuthorizationProvider) needs to be used for working with HBase tables as well. But that is not well tested.</li>
<li>Partition files and directories added by a Hive query donât inherit permissions from the table. This means that even if you grant permissions for a group to access a table, new partitions will have read permissions only for the owner, if the default umask for the cluster is configured as such. See <a href="https://issues.apache.org/jira/browse/HIVE-3094">https://issues.apache.org/jira/browse/HIVE-3094</a>. A separate "<code>hdfs chmod</code>" command will be necessary to modify the permissions.</li>
+ <li>Although DDL statements for managing permissions have no effect in storage-based authorization, currently they do not return error messages. See <a href="https://issues.apache.org/jira/browse/HIVE-3010">https://issues.apache.org/jira/browse/HIVE-3010</a>.</li>
</ol>
</section>