[
https://issues.apache.org/jira/browse/HIVE-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235003#comment-13235003
]
Ashutosh Chauhan commented on HIVE-2809:
----------------------------------------
@Enis,
The patch is huge and it has three different issues smashed together. If broken
apart into following three issues it will be easier for reviewing and better
tracking:
a) Adding DB as read and write entity for auth checks.
b) Improving semantics for adding checks for add partition and others.
c) Adding HDFSAuthProvider as an alternative.
> StorageHandler authorization providers
> --------------------------------------
>
> Key: HIVE-2809
> URL: https://issues.apache.org/jira/browse/HIVE-2809
> Project: Hive
> Issue Type: New Feature
> Affects Versions: 0.9.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
> Attachments: HIVE-2809.D1953.1.patch, HIVE-2809.D1953.2.patch,
> HIVE-2809.D1953.3.patch, HIVE-2809.D1953.4.patch, HIVE-2809.D1953.5.patch
>
>
> In this issue, we would like to discuss the possibility of supplementing the
> Hive authorization model with authorization at the storage level. As
> discussed in HIVE-1943, Hive should also check for operation permissions in
> hdfs and hbase, since otherwise, data and metadata can be in an inconsistent
> state or be orphaned. Going a step further, some of the setups might not need
> the full featured auth model by Hive, but want to rely on managing the
> permissions at the data layer. In this model, the metadata operations are
> checked first from hdfs/hbase and it is allowed only if they are allowed at
> the data layer. The semantics are documented at
> https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design.
> So, the goals of this issue are:
> - Port storage handler specific authorization providers, and the
> StorageDelegationAuthorizationProvider from HCATALOG-245 and HCATALOG-260 to
> Hive.
> - Keep current Hive's default authorization provider, and enable user to use
> this and/or the storage one. auth providers are already configurable.
> - Move the manual checks that had to be performed about authorization in
> Hcat to Hive, specifically:
> -- CREATE DATABASE/TABLE, ADD PARTITION statements does not call
> HiveAuthorizationProvider.authorize() with the candidate objects, which
> means that
> we cannot do checks against defined LOCATION.
> -- HiveOperation does not define sufficient Privileges for most of the
> operations,
> especially database operations.
> -- For some of the operations, Hive SemanticAnalyzer does not add the
> changed
> object as a WriteEntity or ReadEntity.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
