[ https://issues.apache.org/jira/browse/HIVE-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235003#comment-13235003 ]
Ashutosh Chauhan commented on HIVE-2809: ---------------------------------------- @Enis, The patch is huge and it has three different issues smashed together. If broken apart into following three issues it will be easier for reviewing and better tracking: a) Adding DB as read and write entity for auth checks. b) Improving semantics for adding checks for add partition and others. c) Adding HDFSAuthProvider as an alternative. > StorageHandler authorization providers > -------------------------------------- > > Key: HIVE-2809 > URL: https://issues.apache.org/jira/browse/HIVE-2809 > Project: Hive > Issue Type: New Feature > Affects Versions: 0.9.0 > Reporter: Enis Soztutar > Assignee: Enis Soztutar > Attachments: HIVE-2809.D1953.1.patch, HIVE-2809.D1953.2.patch, > HIVE-2809.D1953.3.patch, HIVE-2809.D1953.4.patch, HIVE-2809.D1953.5.patch > > > In this issue, we would like to discuss the possibility of supplementing the > Hive authorization model with authorization at the storage level. As > discussed in HIVE-1943, Hive should also check for operation permissions in > hdfs and hbase, since otherwise, data and metadata can be in an inconsistent > state or be orphaned. Going a step further, some of the setups might not need > the full featured auth model by Hive, but want to rely on managing the > permissions at the data layer. In this model, the metadata operations are > checked first from hdfs/hbase and it is allowed only if they are allowed at > the data layer. The semantics are documented at > https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design. > So, the goals of this issue are: > - Port storage handler specific authorization providers, and the > StorageDelegationAuthorizationProvider from HCATALOG-245 and HCATALOG-260 to > Hive. > - Keep current Hive's default authorization provider, and enable user to use > this and/or the storage one. auth providers are already configurable. > - Move the manual checks that had to be performed about authorization in > Hcat to Hive, specifically: > -- CREATE DATABASE/TABLE, ADD PARTITION statements does not call > HiveAuthorizationProvider.authorize() with the candidate objects, which > means that > we cannot do checks against defined LOCATION. > -- HiveOperation does not define sufficient Privileges for most of the > operations, > especially database operations. > -- For some of the operations, Hive SemanticAnalyzer does not add the > changed > object as a WriteEntity or ReadEntity. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira