[ https://issues.apache.org/jira/browse/HIVE-25444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sai Hemanth Gantasala updated HIVE-25444: ----------------------------------------- Summary: Make tables based on storage handlers authorization (HIVE-24705) configurable. (was: Use a config to disable authorization on tables based on storage handlers by default.) > Make tables based on storage handlers authorization (HIVE-24705) configurable. > ------------------------------------------------------------------------------ > > Key: HIVE-25444 > URL: https://issues.apache.org/jira/browse/HIVE-25444 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 > Reporter: Sai Hemanth Gantasala > Assignee: Sai Hemanth Gantasala > Priority: Major > > Using a config "hive.security.authorization.tables.on.storagehandlers" with > default false, we'll disable the authorization on storage handlers by > default. Authorization is enabled if this config is set to true. > Background: Previously, whenever a user is trying to create a table based on > a storage handler, the end user we are seeing in the external storage (Ex: > hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition > in ranger on the end-user. > https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue, > by enforcing a check in Apache ranger for hive service. This patch had > changes in both hive and ranger. (ranger client depends on hive changes.)Now > the reason why I’m disabling this feature by default is that users can > updated hive code but not ranger code. In that case, users see a permission > denied error when executing a statement like: {{CREATE TABLE hive_table_0(key > int, value string) STORED BY > 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} but user/admin cannot > add a ranger policy in hive because ranger code is not updated. This way > we’ll unblocked users from creating tables based on storage handlers as they > were previously doing.Users can turn on this config if they have updated > ranger code. -- This message was sent by Atlassian Jira (v8.3.4#803005)