Re: [PR] HIVE-29202: Add HiveAuthzContext support to HiveMetaStoreAuthorizable… [hive]

Thu, 18 Sep 2025 10:42:02 -0700 


jjiang037 commented on code in PR #6078:
URL: https://github.com/apache/hive/pull/6078#discussion_r2353439300


##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -40,6 +42,17 @@ protected HiveMetaStoreAuthorizableEvent(PreEventContext 
preEventContext) {
     this.preEventContext = preEventContext;
   }
 
+  protected HiveAuthzContext buildAuthzContext() {

Review Comment:
   Yes, different HiveMetaStoreAuthorizableEvent subclasses can provide their 
own authzContext based on their specific authorization needs. Here are some 
concrete usage scenarios:
   
   ## Client Type Differentiation
   ### Different clients accessing HMS may require different authorization 
contexts:
   REST Catalog clients vs Thrift clients: REST-based catalog services (like 
Iceberg REST catalog) may need additional context for audit logging to 
distinguish their requests from traditional Thrift-based HMS clients
   This allows authorization plugins to apply different policies or logging 
based on the client type
   ## Enhanced Audit Context
   The authorization context can carry metadata about:
   Request origin: Whether the request came from a REST API, direct HMS client, 
or a proxy service
   Client properties: Additional metadata like client version, request ID, or 
session information
   Operation context: Specific context relevant to the operation type
   ## Example Implementation Pattern
   ```
   // For REST catalog requests
   public class ReadDatabaseEvent extends HiveMetaStoreAuthorizableEvent {
       @Override
       public HiveMetaStoreAuthzInfo getAuthzContext() {
           HiveAuthzContext authzContext = buildAuthzContext();
           // The context now includes client configuration that identifies
           // this as a REST catalog request vs regular HMS request
           return new HiveMetaStoreAuthzInfo(..., authzContext);
       }
   ```
   }
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to