[
https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16657168#comment-16657168
]
Vihang Karajgaonkar commented on HIVE-20776:
--------------------------------------------
Are you talking about {{MetaStoreFilterHook}} implementations? Looks like the
original motivation of these hooks were authorization plugins on the HS2
(client side). If you read the javadoc on the interface, it makes more sense.
{quote}/**
* Metadata filter hook for metastore client. This will be useful for
authorization
* plugins on hiveserver2 to filter metadata results, especially in case of
* non-impersonation mode where the metastore doesn't know the end user's
identity.
*/{quote}
When impersonation is turned OFF (default on secure setups on some
distributions), HMS doesn't really know who the end-user is. And hence it is
hard to implement a authorization policy based on UGI of the end-user. The only
way to enforce such a authorization policy would be on the client side where we
know who is the end-user executing the request.
> Move HMS filterHooks from client-side to server-side
> ----------------------------------------------------
>
> Key: HIVE-20776
> URL: https://issues.apache.org/jira/browse/HIVE-20776
> Project: Hive
> Issue Type: Improvement
> Components: Standalone Metastore
> Reporter: Karthik Manamcheri
> Assignee: Karthik Manamcheri
> Priority: Major
>
> In HMS, I noticed that all the filter hooks are applied on the client side
> (in HiveMetaStoreClient.java). Is there any reason why we can't apply the
> filters on the server-side?
> Motivation: Some newer apache projects such as Kudu use HMS for metadata
> storage. Kudu is not completely Java-based and there are interaction points
> where they have C++ clients. In such cases, it would be ideal to have
> consistent behavior from HMS side as far as filters, etc are concerned.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
