[jira] [Work logged] (HIVE-25444) Make tables based on storage handlers authorization (HIVE-24705) configurable.

Fri, 13 May 2022 05:25:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-25444?focusedWorklogId=770162&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-770162
 ]

ASF GitHub Bot logged work on HIVE-25444:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/May/22 12:24
            Start Date: 13/May/22 12:24
    Worklog Time Spent: 10m 
      Work Description: szlta opened a new pull request, #3290:
URL: https://github.com/apache/hive/pull/3290

   Resurrecting https://github.com/apache/hive/pull/2583 :
   Make tables based on storage handlers authorization (HIVE-24705) 
configurable.
   cc: @saihemanth-cloudera 




Issue Time Tracking
-------------------

    Worklog Id:     (was: 770162)
    Time Spent: 1h  (was: 50m)

> Make tables based on storage handlers authorization (HIVE-24705) configurable.
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-25444
>                 URL: https://issues.apache.org/jira/browse/HIVE-25444
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Using a config "hive.security.authorization.tables.on.storagehandlers" with 
> default true, we'll enable the authorization on storage handlers by default. 
> Authorization is disabled if this config is set to false. 
> Background: Previously, whenever a user is trying to create a table based on 
> a storage handler, the end user we are seeing in the external storage (Ex: 
> hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition 
> in ranger on the end-user.
> https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue, 
> by enforcing a check in Apache ranger for hive service. This patch had 
> changes in both hive and ranger. (ranger client depends on hive changes). Now 
> the reason why we to make this feature configurable is that users can update 
> hive code but not ranger code. In that case, users see a permission denied 
> error when executing a statement like: {{CREATE TABLE hive_table_0(key int, 
> value string) STORED BY 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} 
> but user/admin cannot add a ranger policy in the hive because ranger code is 
> not updated. By making this feature configurable,  we’ll unblock users from 
> creating tables based on storage handlers as they were previously doing.
> Users can turn 'off' this config if they don't have updated the ranger code.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to