[
https://issues.apache.org/jira/browse/HIVE-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13016129#comment-13016129
]
[email protected] commented on HIVE-1988:
-----------------------------------------------------
bq. On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq. >
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java,
line 152
bq. > <https://reviews.apache.org/r/528/diff/2/?file=14844#file14844line152>
bq. >
bq. > HadoopShims.isSecureShimImpl() is not called anywhere else. Shall we
remove it if not required anymore?
I suggest we leave it there. This seems like a useful method, and I am actually
using it in another patch.
bq. On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq. >
http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java,
lines 144-156
bq. > <https://reviews.apache.org/r/528/diff/2/?file=14850#file14850line144>
bq. >
bq. > Do you want to move this into setup(), as it is common in both
testcases?
Done
bq. On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq. >
http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java,
lines 192-209
bq. > <https://reviews.apache.org/r/528/diff/2/?file=14850#file14850line192>
bq. >
bq. > code looks duplicated. Can it be refactored by passing group names
to a method?
Done
- Devaraj
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/528/#review386
-----------------------------------------------------------
On 2011-03-29 10:26:38, Devaraj Das wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/528/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2011-03-29 10:26:38)
bq.
bq.
bq. Review request for hive.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. Fixes to some security issues discussed in HIVE-1988
bq.
bq.
bq. This addresses bug HIVE-1988.
bq. https://issues.apache.org/jira/browse/HIVE-1988
bq.
bq.
bq. Diffs
bq. -----
bq.
bq.
http://svn.apache.org/repos/asf/hive/trunk/metastore/if/hive_metastore.thrift
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
1085623
bq.
http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
1085623
bq.
bq. Diff: https://reviews.apache.org/r/528/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. New unit test added and that passes. All unit tests passed.
bq.
bq.
bq. Thanks,
bq.
bq. Devaraj
bq.
bq.
> Make the delegation token issued by the MetaStore owned by the right user
> -------------------------------------------------------------------------
>
> Key: HIVE-1988
> URL: https://issues.apache.org/jira/browse/HIVE-1988
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security, Server Infrastructure
> Affects Versions: 0.7.0
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Fix For: 0.8.0
>
> Attachments: hive-1988-3.patch, hive-1988.patch
>
>
> The 'owner' of any delegation token issued by the MetaStore is set to the
> requesting user. When a delegation token is asked by the user himself during
> a job submission, this is fine. However, in the case where the token is
> requested for by services (e.g., Oozie), on behalf of the user, the token's
> owner is set to the user the service is running as. Later on, when the token
> is used by a MapReduce task, the MetaStore treats the incoming request as
> coming from Oozie and does operations as Oozie. This means any new directory
> creations (e.g., create_table) on the hdfs by the MetaStore will end up with
> Oozie as the owner.
> Also, the MetaStore doesn't check whether a user asking for a token on behalf
> of some other user, is actually authorized to act on behalf of that other
> user. We should start using the ProxyUser authorization in the MetaStore
> (HADOOP-6510's APIs).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
