You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Mohammad Islam <mi...@yahoo.com.INVALID> on 2016/08/10 17:22:37 UTC
HS2 doAs setting to false
Hi,
I was reading HS2 integration doc and found we needed to turn off hive.server2.enable.doAs.
My questions are :
1. What are impact or what HS2 feature we will lose? In other words, can't we submit query to HS2 from another service as end user?
2. Why this restriction?
Btw this is my second question to sentry mail-list. These two questions are critical for me to decided about Sentry adoption at Uber. Can someone please help on this?
Regards,
Mohammad
Re: HS2 doAs setting to false
Posted by Mohammad Islam <mi...@yahoo.com.INVALID>.
Thanks Jim for your answer.In that case, the MR jobs for Hive query will run as what user? Hive system user ("hive") or end user?
Regards,Mohammad
On Thursday, August 11, 2016 3:48 AM, Jim Halfpenny <jh...@cloudera.com> wrote:
Hi Mohammad,
Sentry is built around the model that the Hive system user owns the data
files. When you run a SQL query Hive checks you have permission to access
the data and gets the results for you using its own identity. If you have
impersonation enabled (hive.server2.enable.doAs=true) then your user would
need to have access to the underlying data files and could circumvent the
access controls by reading straight from HDFS.
You will still be able to run Hive queries as an end user, but it is Hive
that will actually be reading the data files from HDFS. If you think about
it like a relational database, the database user owns the files and regular
users submit queries to it.
Regards,
Jim
On Wed, Aug 10, 2016 at 6:22 PM, Mohammad Islam <mi...@yahoo.com.invalid>
wrote:
> Hi,
> I was reading HS2 integration doc and found we needed to turn
> off hive.server2.enable.doAs.
>
> My questions are :
> 1. What are impact or what HS2 feature we will lose? In other words, can't
> we submit query to HS2 from another service as end user?
> 2. Why this restriction?
>
> Btw this is my second question to sentry mail-list. These two questions
> are critical for me to decided about Sentry adoption at Uber. Can someone
> please help on this?
>
> Regards,
> Mohammad
--
*Jim Halfpenny*
Solutions Architect
*M* +44 (0) 7793 826085 | jhalfpenny@cloudera.com
Cloudera Inc. | www.cloudera.com
Celebrating a decade of community accomplishments
cloudera.com/hadoop10
#hadoop10
Re: HS2 doAs setting to false
Posted by Jim Halfpenny <jh...@cloudera.com>.
Hi Mohammad,
Sentry is built around the model that the Hive system user owns the data
files. When you run a SQL query Hive checks you have permission to access
the data and gets the results for you using its own identity. If you have
impersonation enabled (hive.server2.enable.doAs=true) then your user would
need to have access to the underlying data files and could circumvent the
access controls by reading straight from HDFS.
You will still be able to run Hive queries as an end user, but it is Hive
that will actually be reading the data files from HDFS. If you think about
it like a relational database, the database user owns the files and regular
users submit queries to it.
Regards,
Jim
On Wed, Aug 10, 2016 at 6:22 PM, Mohammad Islam <mi...@yahoo.com.invalid>
wrote:
> Hi,
> I was reading HS2 integration doc and found we needed to turn
> off hive.server2.enable.doAs.
>
> My questions are :
> 1. What are impact or what HS2 feature we will lose? In other words, can't
> we submit query to HS2 from another service as end user?
> 2. Why this restriction?
>
> Btw this is my second question to sentry mail-list. These two questions
> are critical for me to decided about Sentry adoption at Uber. Can someone
> please help on this?
>
> Regards,
> Mohammad
--
*Jim Halfpenny*
Solutions Architect
*M* +44 (0) 7793 826085 | jhalfpenny@cloudera.com
Cloudera Inc. | www.cloudera.com
Celebrating a decade of community accomplishments
cloudera.com/hadoop10
#hadoop10