> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote: > > beeline/src/java/org/apache/hive/beeline/BeeLine.java, line 547 > > <https://reviews.apache.org/r/13845/diff/4/?file=394495#file394495line547> > > > > we should document what this option means, in the usage output, and > > that it is a hive specific option. > >
Agreed. will updated the docs according. > On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote: > > conf/hive-default.xml.template, line 2111 > > <https://reviews.apache.org/r/13845/diff/4/?file=394500#file394500line2111> > > > > should "altername" be "alternate" ? > > requestion => request > > Done. > On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote: > > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java, > > line 528 > > <https://reviews.apache.org/r/13845/diff/4/?file=394522#file394522line528> > > > > This would mean that to make a user a proxy user, you would need to > > make the user a proxy user for all of hadoop. In general for security, it > > is useful to be able to give users only what they need. > > > > Webhcat and oozie follow this model AFAIK. Granting a user proxy user > > privilege for these services does not require you to make the user a proxy > > user for hadoop (HDFS, MR). > > I do agree with the point that we shouldn't be requiring to grant permissions beyond the minimum required. Here's the rationale for the proposed approach - - For impersonation cases, the middleware user needs to impersonate the end user at Hadoop level (eg Oozie). If we use a different configuration format, then you need to keep those two setting in sycn. That's an administration nightmare. - If you do want this to be a hive specific setting (eg. for middleware tools that don't need impersonation), then you can always add it to hive-site.xml. This way you don't need a different configuration format or file, and yet keep the privilege specific to hive service. - Prasad ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13845/#review31384 ----------------------------------------------------------- On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13845/ > ----------------------------------------------------------- > > (Updated Dec. 5, 2013, 8:08 p.m.) > > > Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair. > > > Bugs: HIVE-5155 > https://issues.apache.org/jira/browse/HIVE-5155 > > > Repository: hive-git > > > Description > ------- > > Delegation token support - > Enable delegation token connection for HiveServer2 > Enhance the TCLIService interface to support delegation token requests > Support passing the delegation token connection type via JDBC URL and Beeline > option > > Direct proxy access - > Define new proxy user property > Shim interfaces to validate proxy access for a given user > > Note that the diff doesn't include thrift generated code. > > > Diffs > ----- > > beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5 > beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3 > beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3 > beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829 > common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa > conf/hive-default.xml.template c61a0bb > itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java > 7b1c9da > jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573 > jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98 > service/if/TCLIService.thrift 62a9730 > service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java > 519556c > service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675 > service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386 > service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f > service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java > 9dca874 > service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6 > service/src/java/org/apache/hive/service/cli/session/HiveSession.java > 00058cc > service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java > cfda752 > > service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java > 708f4e4 > service/src/java/org/apache/hive/service/cli/session/SessionManager.java > e262b72 > service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java > 9df110e > > service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java > 9bb2a0f > service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java > 8fa4afd > service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java > 2fac800 > shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java > 6ff1a84 > > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java > 84f3ddc > > shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java > dc89de1 > shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java > 0d5615c > > shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java > 03f4e51 > > Diff: https://reviews.apache.org/r/13845/diff/ > > > Testing > ------- > > Since this requires kerberos setup, its tested by a standalone test program > that runs various existing and new secure connection scenarios. The test code > is attached to the ticket at > https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java > > > Thanks, > > Prasad Mujumdar > >
