[ https://issues.apache.org/jira/browse/HIVE-12688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15060409#comment-15060409 ]
Thejas M Nair commented on HIVE-12688: -------------------------------------- Yeah, looks like CDH version of Hive has been using this property to restrict access. This is not old behavior of Apache Hive. This is a new feature is not a pattern commonly seen in hadoop ecosystem. In case of HDFS, for example access is restricted on file permissions and not on a user group setting. To secure metastore access, you can already use storage based authorization. I am fine with this feature being added. However, the way it is implemented right now breaks hive not work if hadoop.proxyuser.hive.hosts is properly set. I am not sure why CDH users didn't face this issue, I assume cloudera manager might not be securing this for the clusters. I don't think we can ship Hive 2.0.0 in this form as it is a major regression. If you can change the implementation to fix this issue, please create a follow up jira with patch. I created this patch to rollback the change so that we don't block 2.0.0 release. > HIVE-11826 makes hive unusable in properly secured cluster > ---------------------------------------------------------- > > Key: HIVE-12688 > URL: https://issues.apache.org/jira/browse/HIVE-12688 > Project: Hive > Issue Type: Bug > Affects Versions: 1.3.0, 2.0.0 > Reporter: Thejas M Nair > Assignee: Thejas M Nair > Priority: Blocker > Attachments: HIVE-12688.1.patch > > > HIVE-11826 makes a change to restrict connections to metastore to users who > belong to groups under 'hadoop.proxyuser.hive.groups'. > That property was only a meant to be a hadoop property, which controls what > users the hive user can impersonate. What this change is doing is to enable > use of that to also restrict who can connect to metastore server. This is new > functionality, not a bug fix. There is value to this functionality. > However, this change makes hive unusable in a properly secured cluster. If > 'hadoop.proxyuser.hive.hosts' is set to the proper set of hosts that run > Metastore and Hiveserver2 (instead of a very open "*"), then users will be > able to connect to metastore only from those hosts. -- This message was sent by Atlassian JIRA (v6.3.4#6332)