[
https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thejas M Nair updated HIVE-7209:
--------------------------------
Attachment: HIVE-7209.4.patch
HIVE-7209.4.patch - also updating hive-default.xml.template to mention that
more than one metastore authorization manager classes can be specified under
hive.security.metastore.authorization.manager .
> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
> Key: HIVE-7209
> URL: https://issues.apache.org/jira/browse/HIVE-7209
> Project: Hive
> Issue Type: Bug
> Components: Authentication, Metastore
> Reporter: Thejas M Nair
> Assignee: Thejas M Nair
> Labels: TODOC14
> Attachments: HIVE-7209.1.patch, HIVE-7209.2.patch, HIVE-7209.3.patch,
> HIVE-7209.4.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that
> modify the authorization policy.
> The users who can make direct metastore api calls in a secure cluster
> configuration are usually the 'cluster insiders' such as Pig and MR users,
> who are not (securely) covered by the metastore based authorization policy.
> But it makes sense to disallow access from such users as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
