[
https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14134579#comment-14134579
]
Thejas M Nair edited comment on HIVE-8045 at 9/17/14 6:59 AM:
--------------------------------------------------------------
bq. 1 Even if hive.security.authorization.enabled=false, authorization checks
were happening for non sql statements as add/detete/dfs/compile, which results
in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
CommandUtil. authorizeCommand(..) has been fixed to consider the value of
hive.security.authorization.enabled . Added new test case -
authorization_cli_nonsql.q
bq. 2 Create table from hive-cli ended up calling metastore server api call
(getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an
error.
Removed the getRoles call from authorization from SQLStdHiveAccessController
constructor. It is already explicitly initialized before roles are used from
other methods. Added test authorization_cli_createtab_noauthzapi.q to verify
that no authorization api calls are being made for create table commands.
bq. 3 Some users prefer to enable authorization using hive-site.xml for
hive-server2 (hive.security.authorization.enabled param). If this file is
shared by hive-cli and hive-server2, SQL std authorizer throws an error because
its use in hive-cli is not allowed.
Created SQLStdConfOnlyAuthorizerFactory that can be set in hive-cli, its
authorization checkprivileges calls are no-op calls. The sql standard
authorizer can be set for hiveserver2 using commandline or hiveserver2-site.xml
. authorization_cli_stdconfigauth.q tests this.
was (Author: thejas):
bq. 1 Even if hive.security.authorization.enabled=false, authorization checks
were happening for non sql statements as add/detete/dfs/compile, which results
in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
CommandUtil. authorizeCommand(..) has been fixed to consider the value of
hive.security.authorization.enabled . Added new test case -
authorization_cli_nonsql.q
bq. 2 Create table from hive-cli ended up calling metastore server api call
(getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an
error.
Removed the getRoles call from authorization from SQLStdHiveAccessController
constructor. It is already explicitly initialized before roles are used from
other methods. Added test authorization_cli_createtab_noauthzapi.q to verify
that no authorization api calls are being made for create table commands.
bq. 3 Some users prefer to enable authorization using hive-site.xml for
hive-server2 (hive.security.authorization.enabled param). If this file is
shared by hive-cli and hive-server2, SQL std authorizer throws an error because
its use in hive-cli is not allowed.
Created SQLStdConfOnlyAuthorizerFactory that can be set in hive-cli, its
authorization checkprivileges calls are no-op calls. The sql standard
authorizer can be set for hiveserver2 using commandline or hiveserver2-site.xml
.
> SQL standard auth with cli - Errors and configuration issues
> ------------------------------------------------------------
>
> Key: HIVE-8045
> URL: https://issues.apache.org/jira/browse/HIVE-8045
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Reporter: Jagruti Varia
> Assignee: Thejas M Nair
>
> HIVE-7533 enabled sql std authorization to be set in hive cli (without
> enabling authorization checks). This updates hive configuration so that
> create-table and create-views set permissions appropriately for the owner of
> the table.
> HIVE-7209 added a metastore authorization provider that can be used to
> restricts calls made to the authorization api, so that only HS2 can make
> those calls (when HS2 uses embedded metastore).
> Some issues were found with this.
> # Even if hive.security.authorization.enabled=false, authorization checks
> were happening for non sql statements as add/detete/dfs/compile, which
> results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Create table from hive-cli ended up calling metastore server api call
> (getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an
> error.
> # Some users prefer to enable authorization using hive-site.xml for
> hive-server2 (hive.security.authorization.enabled param). If this file is
> shared by hive-cli and hive-server2, SQL std authorizer throws an error
> because is use in hive-cli is not allowed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
