[jira] [Comment Edited] (SENTRY-531) Add column authorization for metadata read protection

Xiaomeng Huang (JIRA) Tue, 18 Nov 2014 22:47:56 -0800

    [ 
https://issues.apache.org/jira/browse/SENTRY-531?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14217524#comment-14217524
 ]


Xiaomeng Huang edited comment on SENTRY-531 at 11/19/14 6:46 AM:
-----------------------------------------------------------------

Hi [~colinma] and [~prasadm]
This feature refers to column security, so I take a few time to have a look.
It use AuthorizingObjectStore(extends ObjectStore) to do metadata protection, 
but we have had SentryHiveMetaStoreClient(extends HiveMetaStoreClient) to do 
metadata protection.
The call is duplicated to filter results, e.g. 
client.getDatabases=>filterDatabases(store.getDatabases()),  and 
store.getDatabases=>filterDatabases(super.getDatabases). The code of 
fileterDatabases in SentryHiveMetaStoreClient and AuthorizingObjectStore is 
much same, so I think they are not necessary to exist together.
SentryHiveMetaStoreClient filters at client side, and AuthorizingObjectStore 
filters at server side. Do you think which is more available?
As far as I know, HIVE-8612 (clinet side metadata protection) is committed to 
hive trunk, so I think we should use client side protection and use 
SentryHiveMetaStoreClient to instead of AuthorizingObjectStore in Sentry.


was (Author: huang xiaomeng):
Hi [~colinma] and [~prasadm]
This feature refers to column security, so I take a few time to have a look.
It use AuthorizingObjectStore(extends ObjectStore) to do metadata protection, 
but we have had SentryHiveMetaStoreClient(extends HiveMetaStoreClient) to do 
metadata protection.
The call is duplicated to filter results, e.g. client.getDatabases -> 
filterDatabases(store.getDatabases()),  and store.getDatabases-> 
filterDatabases(super.getDatabases). The code of fileterDatabases in 
SentryHiveMetaStoreClient and AuthorizingObjectStore is much same, so I think 
they are not necessary to exist together.
SentryHiveMetaStoreClient filters at client side, and AuthorizingObjectStore 
filters at server side. Do you think which is more available?
As far as I know, HIVE-8612 (clinet side metadata protection) is committed to 
hive trunk, so I think we should use client side protection and use 
SentryHiveMetaStoreClient to instead of AuthorizingObjectStore in Sentry.

> Add column authorization for metadata read protection
> -----------------------------------------------------
>
>                 Key: SENTRY-531
>                 URL: https://issues.apache.org/jira/browse/SENTRY-531
>             Project: Sentry
>          Issue Type: Improvement
>            Reporter: Colin Ma
>            Assignee: Colin Ma
>         Attachments: SENTRY-531.v1.patch
>
>
> Base on [SENTRY-74|https://issues.apache.org/jira/browse/SENTRY-74], add 
> column level check for metadata read protection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SENTRY-531) Add column authorization for metadata read protection

Reply via email to