You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Sushanth Sowmyan (JIRA)" <ji...@apache.org> on 2013/10/08 00:01:45 UTC
[jira] [Updated] (HIVE-5479) SBAP restricts hcat -e 'show
databases'
[ https://issues.apache.org/jira/browse/HIVE-5479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sushanth Sowmyan updated HIVE-5479:
-----------------------------------
Attachment: HIVE-5479.patch
Attaching patch to make SBAP mimic the old HdfsAuthorizationProvider for user-level authorization
> SBAP restricts hcat -e 'show databases'
> ---------------------------------------
>
> Key: HIVE-5479
> URL: https://issues.apache.org/jira/browse/HIVE-5479
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HCatalog
> Affects Versions: 0.12.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
> Attachments: HIVE-5479.patch
>
>
> During testing for 0.12, it was found that if someone tries to use the SBAP as a client-side authorization provider, and runs hcat -e "show databases;", SBAP denies permission to the user.
> Looking at SBAP code, why it does so is self-evident from this section:
> {code}
> @Override
> public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)
> throws HiveException, AuthorizationException {
> // Currently not used in hive code-base, but intended to authorize actions
> // that are directly user-level. As there's no storage based aspect to this,
> // we can follow one of two routes:
> // a) We can allow by default - that way, this call stays out of the way
> // b) We can deny by default - that way, no privileges are authorized that
> // is not understood and explicitly allowed.
> // Both approaches have merit, but given that things like grants and revokes
> // that are user-level do not make sense from the context of storage-permission
> // based auth, denying seems to be more canonical here.
> throw new AuthorizationException(StorageBasedAuthorizationProvider.class.getName() +
> " does not allow user-level authorization");
> }
> {code}
> Thus, this deny-by-default behaviour affects the "show databases" call from hcat cli, which uses user-level privileges to determine if a user can perform that.
--
This message was sent by Atlassian JIRA
(v6.1#6144)