You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2013/08/02 04:19:48 UTC
[jira] [Updated] (HIVE-4984) hive metastore should not re-use
hadoop proxy configuration
[ https://issues.apache.org/jira/browse/HIVE-4984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thejas M Nair updated HIVE-4984:
--------------------------------
Component/s: Security
> hive metastore should not re-use hadoop proxy configuration
> -----------------------------------------------------------
>
> Key: HIVE-4984
> URL: https://issues.apache.org/jira/browse/HIVE-4984
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security
> Affects Versions: 0.12.0
> Reporter: Thejas M Nair
>
> Hive metastore supports proxyuser/doas functionality like hadoop [1].
> Metastore allows anybody who has proxyuser privileges in core-site.xml, to be a metastore proxy user.
> This is a bad from a security perspective, because when a user is made proxy user for hadoop, it gets automatic privilege as proxy user for metastore as well.
> The more secure approach is to use metastore specific config parameters, like what oozie does. [2]
> [1] http://hadoop.apache.org/docs/stable/Secure_Impersonation.html
> [2] http://oozie.apache.org/docs/3.2.0-incubating/AG_Install.html#User_ProxyUser_Configuration
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira