You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Maria <li...@126.com> on 2016/08/18 07:41:52 UTC
why need set hive.server2.enable.doAs=false in SQL-Standard Based
Authorization
Hi,all:
I have a few questions about hive authentication and authorization:
(1)why do we need to set hive.server2.enable.doAs=false in SQL-Standard Based Authorization ?
(2)when set hive.server2.enable.doAs=false in SQL-Standard Based Authorization,the beeline way to connecte HS2,
the queries are run as the service user id of HiverServer2, how to make it use the users who is in current kerberos ticket cache?
(because if "hive.server2.enable.doAs=false" and hive uri is like this——"jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",
the kerberos ticket cache will not work.)
(3)Does hive 1.2.1 and later version still has grant/revoke BUG?——I found someone said
that user needs to imply administrator privilege according to implements AbstractSemanticAnalyzerHook,if
he want to let the administrator own the grant/revoke privilege only. But I also found a parameter
"hive.users.in.admin.role",does this param makes up this deficiency?
(4)Must I start up hive metastore service when SQL Standards Based Hive Authorization in conjunction
with storage based authorization?( https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization),and
if the two combined, “hive.server2.enable.doAs" set to false?
(5)Can someone please give me a tip on this class: BitSetCheckAuthorizationProvider? if I can
set "hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.BitSetCheckAuthorizationProvider"?What
are the difference between BitSetCheckAuthorizationProvider and SQLStdHiveAuthorizerFactory?
I am confused by these questions for a long time. I am eager to get your guidance.
Any reply will be much appreciated.
And thankyou again.
Re:Re: why need set hive.server2.enable.doAs=false in SQL-Standard
Based Authorization
Posted by Maria <li...@126.com>.
Thankyou so much,Sushanth.
I GOT IT ( :) )
At 2016-08-20 07:24:10, "Sushanth Sowmyan" <kh...@gmail.com> wrote:
>One more addition to what Thejas mentioned -
>BitSetCheckAuthorizationProvider was the old legacy method of
>authorization in hive that was replaced in use-intent by
>SQLStandardAuthorization. I think we should look to deprecating and
>removing that now.
>
>In general, if you want conventional db-like grant/revoke style
>authorzation, you should go with SQLStandardAuth, and if you want
>file-system-permission-based, you should look at
>StorageBasedAuthorizationProvider.
>
>On Fri, Aug 19, 2016 at 10:58 AM, Thejas Nair <th...@gmail.com> wrote:
>> 1 - if it set to true, you need to manager permissions in two places for
>> users, using grant/revoke on tables, and file system permissions as well,
>> and keep them in sync. That will be a headache.
>> Moreover, the main intent for sql std auth is to be able to provide fine
>> grained access control using views (access to only certain columns/rows). To
>> allow users to change file system permissions, you need to allow them access
>> to file system, which means you can't do fine grained access control.
>>
>> 2. The principal specified in the connect string is to indicate what
>> service principal is, it is not the principal of the user who is connecting.
>> You can kinit as any user.
>> doas setting does not affect authentication.
>>
>> 3. The grant/revoke not having any privilege requirements was an issue in
>> the old default legacy auth. It is not an issue in SQL std auth.
>> hive.users.in.admin.role is used to set the list of admin users.
>>
>>
>> 4. You can use SQL auth with storage based if you have certain users who
>> access metastore without going through HS2, for example hive cli users.
>>
>>
>>
>> On Thu, Aug 18, 2016 at 12:41 AM, Maria <li...@126.com> wrote:
>>>
>>>
>>> Hi,all:
>>> I have a few questions about hive authentication and authorization:
>>>
>>> (1)why do we need to set hive.server2.enable.doAs=false in SQL-Standard
>>> Based Authorization ?
>>>
>>> (2)when set hive.server2.enable.doAs=false in SQL-Standard Based
>>> Authorization,the beeline way to connecte HS2,
>>> the queries are run as the service user id of HiverServer2, how to make it
>>> use the users who is in current kerberos ticket cache?
>>> (because if "hive.server2.enable.doAs=false" and hive uri is like
>>> this——"jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",
>>> the kerberos ticket cache will not work.)
>>>
>>> (3)Does hive 1.2.1 and later version still has grant/revoke BUG?——I found
>>> someone said
>>> that user needs to imply administrator privilege according to implements
>>> AbstractSemanticAnalyzerHook,if
>>> he want to let the administrator own the grant/revoke privilege only. But
>>> I also found a parameter
>>> "hive.users.in.admin.role",does this param makes up this deficiency?
>>>
>>> (4)Must I start up hive metastore service when SQL Standards Based Hive
>>> Authorization in conjunction
>>> with storage based authorization?(
>>> https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization),and
>>> if the two combined, “hive.server2.enable.doAs" set to false?
>>>
>>> (5)Can someone please give me a tip on this class:
>>> BitSetCheckAuthorizationProvider? if I can
>>> set
>>> "hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.BitSetCheckAuthorizationProvider"?What
>>> are the difference between BitSetCheckAuthorizationProvider and
>>> SQLStdHiveAuthorizerFactory?
>>>
>>>
>>> I am confused by these questions for a long time. I am eager to get your
>>> guidance.
>>>
>>> Any reply will be much appreciated.
>>> And thankyou again.
>>>
>>>
>>>
>>
Re: why need set hive.server2.enable.doAs=false in SQL-Standard Based Authorization
Posted by Sushanth Sowmyan <kh...@gmail.com>.
One more addition to what Thejas mentioned -
BitSetCheckAuthorizationProvider was the old legacy method of
authorization in hive that was replaced in use-intent by
SQLStandardAuthorization. I think we should look to deprecating and
removing that now.
In general, if you want conventional db-like grant/revoke style
authorzation, you should go with SQLStandardAuth, and if you want
file-system-permission-based, you should look at
StorageBasedAuthorizationProvider.
On Fri, Aug 19, 2016 at 10:58 AM, Thejas Nair <th...@gmail.com> wrote:
> 1 - if it set to true, you need to manager permissions in two places for
> users, using grant/revoke on tables, and file system permissions as well,
> and keep them in sync. That will be a headache.
> Moreover, the main intent for sql std auth is to be able to provide fine
> grained access control using views (access to only certain columns/rows). To
> allow users to change file system permissions, you need to allow them access
> to file system, which means you can't do fine grained access control.
>
> 2. The principal specified in the connect string is to indicate what
> service principal is, it is not the principal of the user who is connecting.
> You can kinit as any user.
> doas setting does not affect authentication.
>
> 3. The grant/revoke not having any privilege requirements was an issue in
> the old default legacy auth. It is not an issue in SQL std auth.
> hive.users.in.admin.role is used to set the list of admin users.
>
>
> 4. You can use SQL auth with storage based if you have certain users who
> access metastore without going through HS2, for example hive cli users.
>
>
>
> On Thu, Aug 18, 2016 at 12:41 AM, Maria <li...@126.com> wrote:
>>
>>
>> Hi,all:
>> I have a few questions about hive authentication and authorization:
>>
>> (1)why do we need to set hive.server2.enable.doAs=false in SQL-Standard
>> Based Authorization ?
>>
>> (2)when set hive.server2.enable.doAs=false in SQL-Standard Based
>> Authorization,the beeline way to connecte HS2,
>> the queries are run as the service user id of HiverServer2, how to make it
>> use the users who is in current kerberos ticket cache?
>> (because if "hive.server2.enable.doAs=false" and hive uri is like
>> this——"jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",
>> the kerberos ticket cache will not work.)
>>
>> (3)Does hive 1.2.1 and later version still has grant/revoke BUG?——I found
>> someone said
>> that user needs to imply administrator privilege according to implements
>> AbstractSemanticAnalyzerHook,if
>> he want to let the administrator own the grant/revoke privilege only. But
>> I also found a parameter
>> "hive.users.in.admin.role",does this param makes up this deficiency?
>>
>> (4)Must I start up hive metastore service when SQL Standards Based Hive
>> Authorization in conjunction
>> with storage based authorization?(
>> https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization),and
>> if the two combined, “hive.server2.enable.doAs" set to false?
>>
>> (5)Can someone please give me a tip on this class:
>> BitSetCheckAuthorizationProvider? if I can
>> set
>> "hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.BitSetCheckAuthorizationProvider"?What
>> are the difference between BitSetCheckAuthorizationProvider and
>> SQLStdHiveAuthorizerFactory?
>>
>>
>> I am confused by these questions for a long time. I am eager to get your
>> guidance.
>>
>> Any reply will be much appreciated.
>> And thankyou again.
>>
>>
>>
>
Re: why need set hive.server2.enable.doAs=false in SQL-Standard Based Authorization
Posted by Thejas Nair <th...@gmail.com>.
1 - if it set to true, you need to manager permissions in two places for
users, using grant/revoke on tables, and file system permissions as well,
and keep them in sync. That will be a headache.
Moreover, the main intent for sql std auth is to be able to provide fine
grained access control using views (access to only certain columns/rows).
To allow users to change file system permissions, you need to allow them
access to file system, which means you can't do fine grained access control.
2. The principal specified in the connect string is to indicate what
service principal is, it is not the principal of the user who is
connecting. You can kinit as any user.
doas setting does not affect authentication.
3. The grant/revoke not having any privilege requirements was an issue in
the old default legacy auth. It is not an issue in SQL std auth.
hive.users.in.admin.role is used to set the list of admin users.
4. You can use SQL auth with storage based if you have certain users who
access metastore without going through HS2, for example hive cli users.
On Thu, Aug 18, 2016 at 12:41 AM, Maria <li...@126.com> wrote:
>
> Hi,all:
> I have a few questions about hive authentication and authorization:
>
> (1)why do we need to set hive.server2.enable.doAs=false in SQL-Standard
> Based Authorization ?
>
> (2)when set hive.server2.enable.doAs=false in SQL-Standard Based
> Authorization,the beeline way to connecte HS2,
> the queries are run as the service user id of HiverServer2, how to make it
> use the users who is in current kerberos ticket cache?
> (because if "hive.server2.enable.doAs=false" and hive uri is like
> this——"jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",
> the kerberos ticket cache will not work.)
>
> (3)Does hive 1.2.1 and later version still has grant/revoke BUG?——I found
> someone said
> that user needs to imply administrator privilege according to implements
> AbstractSemanticAnalyzerHook,if
> he want to let the administrator own the grant/revoke privilege only. But
> I also found a parameter
> "hive.users.in.admin.role",does this param makes up this deficiency?
>
> (4)Must I start up hive metastore service when SQL Standards Based Hive
> Authorization in conjunction
> with storage based authorization?( https://cwiki.apache.org/
> confluence/display/Hive/SQL+Standard+Based+Hive+Authorization),and
> if the two combined, “hive.server2.enable.doAs" set to false?
>
> (5)Can someone please give me a tip on this class:
> BitSetCheckAuthorizationProvider? if I can
> set "hive.security.authorization.manager=org.apache.hadoop.
> hive.ql.security.authorization.BitSetCheckAuthorizationProvider"?What
> are the difference between BitSetCheckAuthorizationProvider and
> SQLStdHiveAuthorizerFactory?
>
>
> I am confused by these questions for a long time. I am eager to get your
> guidance.
>
> Any reply will be much appreciated.
> And thankyou again.
>
>
>
>