You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Sai Hemanth Gantasala (Jira)" <ji...@apache.org> on 2021/01/29 19:54:00 UTC

[jira] [Updated] (HIVE-24705) Create/Alter/Drop tables based on storage handlers in HS2 should be authorized by Ranger/Sentry

     [ https://issues.apache.org/jira/browse/HIVE-24705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sai Hemanth Gantasala updated HIVE-24705:
-----------------------------------------
    Description: 
With doAs=false in Hive3.x, whenever a user is trying to create a table based on storage handlers on external storage for ex: HBase table, the end user we are seeing is hive so we cannot really enforce the condition in Apache Ranger/Sentry on the end-user. So, we need to enforce this condition in the hive in the event of create/alter/drop tables based on storage handlers.

Built-in hive storage handlers like HbaseStorageHandler, KafkaStorageHandler e.t.c should implement a method getURIForAuthentication() which returns a URI that is formed from table properties. This URI can be sent for authorization to 

> Create/Alter/Drop tables based on storage handlers in HS2 should be authorized by Ranger/Sentry
> -----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-24705
>                 URL: https://issues.apache.org/jira/browse/HIVE-24705
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>
> With doAs=false in Hive3.x, whenever a user is trying to create a table based on storage handlers on external storage for ex: HBase table, the end user we are seeing is hive so we cannot really enforce the condition in Apache Ranger/Sentry on the end-user. So, we need to enforce this condition in the hive in the event of create/alter/drop tables based on storage handlers.
> Built-in hive storage handlers like HbaseStorageHandler, KafkaStorageHandler e.t.c should implement a method getURIForAuthentication() which returns a URI that is formed from table properties. This URI can be sent for authorization to 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)