[jira] [Commented] (HIVE-1988) Make the delegation token issued by the MetaStore owned by the right user

jirapos...@reviews.apache.org (JIRA) Tue, 05 Apr 2011 00:54:55 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13015794#comment-13015794
 ]

jirapos...@reviews.apache.org commented on HIVE-1988:
-----------------------------------------------------

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/528/#review386
-----------------------------------------------------------

http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
<https://reviews.apache.org/r/528/#comment734>

    HadoopShims.isSecureShimImpl() is not called anywhere else. Shall we remove 
it if not required anymore?

http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
<https://reviews.apache.org/r/528/#comment735>

    Do you want to move this into setup(), as it is common in both testcases?

http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
<https://reviews.apache.org/r/528/#comment736>

    code looks duplicated. Can it be refactored by passing group names to a 
method?

- Amareshwari

On 2011-03-29 10:26:38, Devaraj Das wrote:
bq.  
bq.  -----------------------------------------------------------
bq.  This is an automatically generated e-mail. To reply, visit:
bq.  https://reviews.apache.org/r/528/
bq.  -----------------------------------------------------------
bq.  
bq.  (Updated 2011-03-29 10:26:38)
bq.  
bq.  
bq.  Review request for hive.
bq.  
bq.  
bq.  Summary
bq.  -------
bq.  
bq.  Fixes to some security issues discussed in HIVE-1988
bq.  
bq.  
bq.  This addresses bug HIVE-1988.
bq.      https://issues.apache.org/jira/browse/HIVE-1988
bq.  
bq.  
bq.  Diffs
bq.  -----
bq.  
bq.    
http://svn.apache.org/repos/asf/hive/trunk/metastore/if/hive_metastore.thrift 
1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
 1085623 
bq.    
http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
 1085623 
bq.  
bq.  Diff: https://reviews.apache.org/r/528/diff
bq.  
bq.  
bq.  Testing
bq.  -------
bq.  
bq.  New unit test added and that passes. All unit tests passed.
bq.  
bq.  
bq.  Thanks,
bq.  
bq.  Devaraj
bq.  
bq.

> Make the delegation token issued by the MetaStore owned by the right user
> -------------------------------------------------------------------------
>
>                 Key: HIVE-1988
>                 URL: https://issues.apache.org/jira/browse/HIVE-1988
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore, Security, Server Infrastructure
>    Affects Versions: 0.7.0
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.8.0
>
>         Attachments: hive-1988-3.patch, hive-1988.patch
>
>
> The 'owner' of any delegation token issued by the MetaStore is set to the 
> requesting user. When a delegation token is asked by the user himself during 
> a job submission, this is fine. However, in the case where the token is 
> requested for by services (e.g., Oozie), on behalf of the user, the token's 
> owner is set to the user the service is running as. Later on, when the token 
> is used by a MapReduce task, the MetaStore treats the incoming request as 
> coming from Oozie and does operations as Oozie. This means any new directory 
> creations (e.g., create_table) on the hdfs by the MetaStore will end up with 
> Oozie as the owner.
> Also, the MetaStore doesn't check whether a user asking for a token on behalf 
> of some other user, is actually authorized to act on behalf of that other 
> user. We should start using the ProxyUser authorization in the MetaStore 
> (HADOOP-6510's APIs).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HIVE-1988) Make the delegation token issued by the MetaStore owned by the right user

Reply via email to