You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/08/11 05:29:45 UTC
[jira] [Commented] (SENTRY-498) Sentry authorization V2 via Hive
authorization framework
[ https://issues.apache.org/jira/browse/SENTRY-498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14681173#comment-14681173 ]
Hadoop QA commented on SENTRY-498:
----------------------------------
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12749750/SENTRY-498.004-hive_plugin_v2.patch against hive_plugin_v2.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} failed to apply patch (exit code 1):
The patch does not appear to apply with p0, p1, or p2
Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/771/console
This message is automatically generated.
> Sentry authorization V2 via Hive authorization framework
> --------------------------------------------------------
>
> Key: SENTRY-498
> URL: https://issues.apache.org/jira/browse/SENTRY-498
> Project: Sentry
> Issue Type: New Feature
> Reporter: Xiaomeng Huang
> Assignee: Dapeng Sun
> Labels: roadmap
> Attachments: SENTRY-498.003.patch, SENTRY-498.004-hive_plugin_v2.patch
>
>
> Currently Sentry grant/revoke privileges via hook DDLTask, and do authorization via HiveSemanticAnalyzerHook. Now hive has a pluggable authorization framework via exposing some interfaces HiveAccessController and HiveAuthorizationValidator. HiveAccessController is used to grant/revoke roles and privileges. HiveAuthorizationValidator is used to do fine-grained authorization.
> Advantages to use this framework to grant/revoke privileges and do authorization:
> - This framework is very convenient to use by external authorization system.
> - Using this framework will be better accepted by community.
> - We don't need to take efforts to add so many hooks.
> - Some hooks has limitations. e.g. For column level security, we can't get accessed cloumns from query via HiveSemanticAnalyzerHook, so I extend the readEntity to put accessed columns into it(HIVE-7730). But if we use this framework, we don't need to extend the readEntity, we can just get accessed columns from ColumnAccessInfo directly.
> I will not remove the old sentry authorization framework, I will just add a new authorizationV2 via implement Hive authorization framework. If all the e2e tests passed, we can mark the old authorization deprecated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)