[jira] [Commented] (HIVE-5400) Allow admins to disable compile and other commands

["Lefty Leverenz (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HIVE-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13822159#comment-13822159 ] 

Lefty Leverenz commented on HIVE-5400:
--------------------------------------

Got it, thanks [~thejas].  I'll add hive.security.command.whitelist to the Configuration Properties doc in the [Authentication/Authorization|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-Authentication%2FAuthorization] section.

Does it belong in the subsection "Hive Client Security" or does it also apply to metastore security (in which case it could have a new subsection, perhaps at the beginning of Authentication/Authorization)?

> Allow admins to disable compile and other commands
> --------------------------------------------------
>
>                 Key: HIVE-5400
>                 URL: https://issues.apache.org/jira/browse/HIVE-5400
>             Project: Hive
>          Issue Type: Sub-task
>            Reporter: Brock Noland
>            Assignee: Brock Noland
>             Fix For: 0.13.0
>
>         Attachments: HIVE-5400.patch, HIVE-5400.patch, HIVE-5400.patch
>
>
> From here: https://issues.apache.org/jira/browse/HIVE-5253?focusedCommentId=13782220&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13782220
>  I think we should afford admins who want to disable this functionality the ability to do so. Since such admins might want to disable other commands such as add or dfs, it wouldn't be much trouble to allow them to do this as well. For example we could have a configuration option "hive.available.commands" (or similar) which specified add,set,delete,reset, etc by default. Then check this value in CommandProcessorFactory. It would probably make sense to add this property to the restrict list.



--
This message was sent by Atlassian JIRA
(v6.1#6144)