You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2013/08/02 04:19:48 UTC

[jira] [Created] (HIVE-4984) hive metastore should not re-use hadoop proxy configuration

Thejas M Nair created HIVE-4984:
-----------------------------------

             Summary: hive metastore should not re-use hadoop proxy configuration
                 Key: HIVE-4984
                 URL: https://issues.apache.org/jira/browse/HIVE-4984
             Project: Hive
          Issue Type: Bug
          Components: Metastore
    Affects Versions: 0.12.0
            Reporter: Thejas M Nair


Hive metastore supports proxyuser/doas functionality like hadoop [1].
Metastore allows anybody who has proxyuser privileges in core-site.xml, to be a metastore proxy user.

This is a bad from a security perspective, because when a user is made proxy user for hadoop, it gets automatic privilege as proxy user for metastore as well.

The more secure approach is to use metastore specific config parameters, like what oozie does. [2]

[1] http://hadoop.apache.org/docs/stable/Secure_Impersonation.html
[2] http://oozie.apache.org/docs/3.2.0-incubating/AG_Install.html#User_ProxyUser_Configuration


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira