You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Xiaomeng Huang (JIRA)" <ji...@apache.org> on 2014/11/19 07:46:34 UTC
[jira] [Comment Edited] (SENTRY-531) Add column authorization for
metadata read protection
[ https://issues.apache.org/jira/browse/SENTRY-531?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14217524#comment-14217524 ]
Xiaomeng Huang edited comment on SENTRY-531 at 11/19/14 6:46 AM:
-----------------------------------------------------------------
Hi [~colinma] and [~prasadm]
This feature refers to column security, so I take a few time to have a look.
It use AuthorizingObjectStore(extends ObjectStore) to do metadata protection, but we have had SentryHiveMetaStoreClient(extends HiveMetaStoreClient) to do metadata protection.
The call is duplicated to filter results, e.g. client.getDatabases=>filterDatabases(store.getDatabases()), and store.getDatabases=>filterDatabases(super.getDatabases). The code of fileterDatabases in SentryHiveMetaStoreClient and AuthorizingObjectStore is much same, so I think they are not necessary to exist together.
SentryHiveMetaStoreClient filters at client side, and AuthorizingObjectStore filters at server side. Do you think which is more available?
As far as I know, HIVE-8612 (clinet side metadata protection) is committed to hive trunk, so I think we should use client side protection and use SentryHiveMetaStoreClient to instead of AuthorizingObjectStore in Sentry.
was (Author: huang xiaomeng):
Hi [~colinma] and [~prasadm]
This feature refers to column security, so I take a few time to have a look.
It use AuthorizingObjectStore(extends ObjectStore) to do metadata protection, but we have had SentryHiveMetaStoreClient(extends HiveMetaStoreClient) to do metadata protection.
The call is duplicated to filter results, e.g. client.getDatabases -> filterDatabases(store.getDatabases()), and store.getDatabases-> filterDatabases(super.getDatabases). The code of fileterDatabases in SentryHiveMetaStoreClient and AuthorizingObjectStore is much same, so I think they are not necessary to exist together.
SentryHiveMetaStoreClient filters at client side, and AuthorizingObjectStore filters at server side. Do you think which is more available?
As far as I know, HIVE-8612 (clinet side metadata protection) is committed to hive trunk, so I think we should use client side protection and use SentryHiveMetaStoreClient to instead of AuthorizingObjectStore in Sentry.
> Add column authorization for metadata read protection
> -----------------------------------------------------
>
> Key: SENTRY-531
> URL: https://issues.apache.org/jira/browse/SENTRY-531
> Project: Sentry
> Issue Type: Improvement
> Reporter: Colin Ma
> Assignee: Colin Ma
> Attachments: SENTRY-531.v1.patch
>
>
> Base on [SENTRY-74|https://issues.apache.org/jira/browse/SENTRY-74], add column level check for metadata read protection.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)