ngsg commented on PR #5771: URL: https://github.com/apache/hive/pull/5771#issuecomment-2995336426
@dengzhhu653, > > Sorry, MetaStoreFilterHook is used as HiveMetaStoreAuthorizer or AuthorizationMetaStoreFilterHook. I was searching only for the standalone-metastore project. My bad > > Current we need this in the client side, IMO it's better to put the filter on the ThriftHiveMetaStoreClient to enforce the check I think it is OK to place MetaStoreFilterHook on HookMetaStoreClientProxy. We can keep the current authorization step by consistently wrapping the inner layer by `HookMetaStoreClientProxy`, and this approach can also support future extensions for third-party catalogs. However, I'm open to revisiting this if you still have concerns, as I'm not fully confident in these security related features. --- > I prefer the way to enhance the client through each lawyer. I would like to make the chain thread-safe by default(for client in each lawyer) for non-embedded Metastore, especially for the `ThriftHiveMetaStoreClient`, like: https://github.com/apache/hive/blob/master/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java#L2258-L2287 In the current implementation, method invocations on any MetaStoreClient connected to a remote MetaStore are guarded by a synchronized block, as in your example. Therefore, I think MetaStoreClient with non-embeded MetaStore is thread-safe. cf. https://github.com/apache/hive/blob/459b1e5b3870393adae1b7e527ce856fc1d3f162/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java#L6118-L6120 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For additional commands, e-mail: gitbox-h...@hive.apache.org
