[jira] Commented: (HIVE-842) Authentication Infrastructure for Hive

["Todd Lipcon (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HIVE-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913439#action_12913439 ] 

Todd Lipcon commented on HIVE-842:
----------------------------------

As discussed at the last contributor meeting, I am working on authenticating access to the metastore by kerberizing the Thrift interface.

Plan is currently:
1) Update the version of Thrift in Hive to 0.4.0
2) Temporarily check in the SASL support from Thrift trunk (this will be in 0.5.0 release, due out in October some time)
3) Build a bridge between Thrift's SASL support and Hadoop's UserGroupInformation classes. Thus, if a user has a current UGI on the client side, it will get propagated to the JAAS context on the handler side.
4) In places where the metastore accesses the file system, use the "proxy user" functionality to act on behalf of the authenticated user.
5) When we detect that we are running on secure hadoop with security enabled, enable the above functionality.

I'd like to attack the Hive Web UI separately.

One open question:
- Do Hive *tasks* ever need to authenticate to the metastore? If so, we will have to build a delegation token system into Hive.

> Authentication Infrastructure for Hive
> --------------------------------------
>
>                 Key: HIVE-842
>                 URL: https://issues.apache.org/jira/browse/HIVE-842
>             Project: Hadoop Hive
>          Issue Type: New Feature
>          Components: Server Infrastructure
>            Reporter: Edward Capriolo
>            Assignee: Todd Lipcon
>         Attachments: HiveSecurityThoughts.pdf
>
>
> This issue deals with the authentication (user name,password) infrastructure. Not the authorization components that specify what a user should be able to do.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.