You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2014/09/17 08:59:34 UTC
[jira] [Comment Edited] (HIVE-8045) SQL standard auth with cli -
Errors and configuration issues
[ https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14134579#comment-14134579 ]
Thejas M Nair edited comment on HIVE-8045 at 9/17/14 6:59 AM:
--------------------------------------------------------------
bq. 1 Even if hive.security.authorization.enabled=false, authorization checks were happening for non sql statements as add/detete/dfs/compile, which results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
CommandUtil. authorizeCommand(..) has been fixed to consider the value of hive.security.authorization.enabled . Added new test case -
authorization_cli_nonsql.q
bq. 2 Create table from hive-cli ended up calling metastore server api call (getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
Removed the getRoles call from authorization from SQLStdHiveAccessController constructor. It is already explicitly initialized before roles are used from other methods. Added test authorization_cli_createtab_noauthzapi.q to verify that no authorization api calls are being made for create table commands.
bq. 3 Some users prefer to enable authorization using hive-site.xml for hive-server2 (hive.security.authorization.enabled param). If this file is shared by hive-cli and hive-server2, SQL std authorizer throws an error because its use in hive-cli is not allowed.
Created SQLStdConfOnlyAuthorizerFactory that can be set in hive-cli, its authorization checkprivileges calls are no-op calls. The sql standard authorizer can be set for hiveserver2 using commandline or hiveserver2-site.xml . authorization_cli_stdconfigauth.q tests this.
was (Author: thejas):
bq. 1 Even if hive.security.authorization.enabled=false, authorization checks were happening for non sql statements as add/detete/dfs/compile, which results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
CommandUtil. authorizeCommand(..) has been fixed to consider the value of hive.security.authorization.enabled . Added new test case -
authorization_cli_nonsql.q
bq. 2 Create table from hive-cli ended up calling metastore server api call (getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
Removed the getRoles call from authorization from SQLStdHiveAccessController constructor. It is already explicitly initialized before roles are used from other methods. Added test authorization_cli_createtab_noauthzapi.q to verify that no authorization api calls are being made for create table commands.
bq. 3 Some users prefer to enable authorization using hive-site.xml for hive-server2 (hive.security.authorization.enabled param). If this file is shared by hive-cli and hive-server2, SQL std authorizer throws an error because its use in hive-cli is not allowed.
Created SQLStdConfOnlyAuthorizerFactory that can be set in hive-cli, its authorization checkprivileges calls are no-op calls. The sql standard authorizer can be set for hiveserver2 using commandline or hiveserver2-site.xml .
> SQL standard auth with cli - Errors and configuration issues
> ------------------------------------------------------------
>
> Key: HIVE-8045
> URL: https://issues.apache.org/jira/browse/HIVE-8045
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Reporter: Jagruti Varia
> Assignee: Thejas M Nair
>
> HIVE-7533 enabled sql std authorization to be set in hive cli (without enabling authorization checks). This updates hive configuration so that create-table and create-views set permissions appropriately for the owner of the table.
> HIVE-7209 added a metastore authorization provider that can be used to restricts calls made to the authorization api, so that only HS2 can make those calls (when HS2 uses embedded metastore).
> Some issues were found with this.
> # Even if hive.security.authorization.enabled=false, authorization checks were happening for non sql statements as add/detete/dfs/compile, which results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Create table from hive-cli ended up calling metastore server api call (getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Some users prefer to enable authorization using hive-site.xml for hive-server2 (hive.security.authorization.enabled param). If this file is shared by hive-cli and hive-server2, SQL std authorizer throws an error because is use in hive-cli is not allowed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)