[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive

["Thejas M Nair (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393900#comment-14393900 ] 

Thejas M Nair commented on HIVE-10145:
--------------------------------------

After more thought, I feel it does not make sense to inherit the admin role users only in case when SQL Standard authorization is enabled, as that is just one of the possible authorization modes, that would be confusing. There is not much value I see in that added complexity. I will keep things simple and just let users set the AM level permissions using tez.am.*-acls properties.

Only DAG level access control will be set from HiveServer2. This is to ensure that end users running queries with doAs=false still have access to the DAG information for DAGs corresponding to their query.

Updating the proposal in description.


> set Tez ACLs appropriately in hive
> ----------------------------------
>
>                 Key: HIVE-10145
>                 URL: https://issues.apache.org/jira/browse/HIVE-10145
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Thejas M Nair
>
> Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users.
> Proposed Changes -
> Set session level tez ACL for a super user, to allow modify + view
> Set DAG level ACL for user running the query (the end user), to allow modify + view
> Determining the super user -
> Super user can be configured using using hive.tez.admin.user. This can be initialized by Authorization implementation (such as sql standard authorization) if it is not already set to a specific value. SQL standard authorization would initialize if it is unset to the sql standard admin user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)