You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2013/08/02 04:19:48 UTC
[jira] [Created] (HIVE-4984) hive metastore should not re-use
hadoop proxy configuration
Thejas M Nair created HIVE-4984:
-----------------------------------
Summary: hive metastore should not re-use hadoop proxy configuration
Key: HIVE-4984
URL: https://issues.apache.org/jira/browse/HIVE-4984
Project: Hive
Issue Type: Bug
Components: Metastore
Affects Versions: 0.12.0
Reporter: Thejas M Nair
Hive metastore supports proxyuser/doas functionality like hadoop [1].
Metastore allows anybody who has proxyuser privileges in core-site.xml, to be a metastore proxy user.
This is a bad from a security perspective, because when a user is made proxy user for hadoop, it gets automatic privilege as proxy user for metastore as well.
The more secure approach is to use metastore specific config parameters, like what oozie does. [2]
[1] http://hadoop.apache.org/docs/stable/Secure_Impersonation.html
[2] http://oozie.apache.org/docs/3.2.0-incubating/AG_Install.html#User_ProxyUser_Configuration
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira