[jira] [Updated] (HIVE-25444) Make tables based on storage handlers authorization (HIVE-24705) configurable.

Wed, 11 Aug 2021 10:56:05 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-25444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sai Hemanth Gantasala updated HIVE-25444:
-----------------------------------------
    Summary: Make tables based on storage handlers authorization (HIVE-24705) 
configurable.  (was: Use a config to disable authorization on tables based on 
storage handlers by default.)

> Make tables based on storage handlers authorization (HIVE-24705) configurable.
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-25444
>                 URL: https://issues.apache.org/jira/browse/HIVE-25444
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>
> Using a config "hive.security.authorization.tables.on.storagehandlers" with 
> default false, we'll disable the authorization on storage handlers by 
> default. Authorization is enabled if this config is set to true. 
> Background: Previously, whenever a user is trying to create a table based on 
> a storage handler, the end user we are seeing in the external storage (Ex: 
> hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition 
> in ranger on the end-user.
> https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue, 
> by enforcing a check in Apache ranger for hive service. This patch had 
> changes in both hive and ranger. (ranger client depends on hive changes.)Now 
> the reason why I’m disabling this feature by default is that users can 
> updated hive code but not ranger code. In that case, users see a permission 
> denied error when executing a statement like: {{CREATE TABLE hive_table_0(key 
> int, value string) STORED BY 
> 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} but user/admin cannot 
> add a ranger policy in hive because ranger code is not updated. This way 
> we’ll unblocked users from creating tables based on storage handlers as they 
> were previously doing.Users can turn on this config if they have updated 
> ranger code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to