[ https://issues.apache.org/jira/browse/HIVE-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13016128#comment-13016128 ]
jirapos...@reviews.apache.org commented on HIVE-1988: ----------------------------------------------------- ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/528/ ----------------------------------------------------------- (Updated 2011-04-05 21:24:34.129643) Review request for hive. Changes ------- Addressed Amareshwari's comments. Summary ------- Fixes to some security issues discussed in HIVE-1988 This addresses bug HIVE-1988. https://issues.apache.org/jira/browse/HIVE-1988 Diffs (updated) ----- http://svn.apache.org/repos/asf/hive/trunk/metastore/if/hive_metastore.thrift 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.h 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.cpp 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore_server.skeleton.cpp 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ThriftHiveMetastore.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-php/hive_metastore/ThriftHiveMetastore.php 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 1089155 http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java 1089155 Diff: https://reviews.apache.org/r/528/diff Testing ------- New unit test added and that passes. All unit tests passed. Thanks, Devaraj > Make the delegation token issued by the MetaStore owned by the right user > ------------------------------------------------------------------------- > > Key: HIVE-1988 > URL: https://issues.apache.org/jira/browse/HIVE-1988 > Project: Hive > Issue Type: Bug > Components: Metastore, Security, Server Infrastructure > Affects Versions: 0.7.0 > Reporter: Devaraj Das > Assignee: Devaraj Das > Fix For: 0.8.0 > > Attachments: hive-1988-3.patch, hive-1988.patch > > > The 'owner' of any delegation token issued by the MetaStore is set to the > requesting user. When a delegation token is asked by the user himself during > a job submission, this is fine. However, in the case where the token is > requested for by services (e.g., Oozie), on behalf of the user, the token's > owner is set to the user the service is running as. Later on, when the token > is used by a MapReduce task, the MetaStore treats the incoming request as > coming from Oozie and does operations as Oozie. This means any new directory > creations (e.g., create_table) on the hdfs by the MetaStore will end up with > Oozie as the owner. > Also, the MetaStore doesn't check whether a user asking for a token on behalf > of some other user, is actually authorized to act on behalf of that other > user. We should start using the ProxyUser authorization in the MetaStore > (HADOOP-6510's APIs). -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira