[jira] [Commented] (HIVE-12688) HIVE-11826 makes hive unusable in properly secured cluster

Wed, 16 Dec 2015 09:58:23 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-12688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15060409#comment-15060409
 ] 

Thejas M Nair commented on HIVE-12688:
--------------------------------------

Yeah, looks like CDH version of Hive has been using this property to restrict 
access. This is not old behavior of Apache Hive. This is a new feature is not a 
pattern commonly seen in hadoop ecosystem. In case of HDFS, for example access 
is restricted on file permissions and not on a user group setting. To secure 
metastore access, you can already use storage based authorization.


I am fine with this feature being added. However, the way it is implemented 
right now breaks hive not work if hadoop.proxyuser.hive.hosts is properly set.  
I am not sure why CDH users didn't face this issue, I assume cloudera manager 
might not be securing this for the clusters.
I don't think we can ship Hive 2.0.0 in this form as it is a major regression. 
If you can change the implementation to fix this issue, please create a follow 
up jira with patch. I created this patch to rollback the change so that we 
don't block 2.0.0 release.





> HIVE-11826 makes hive unusable in properly secured cluster
> ----------------------------------------------------------
>
>                 Key: HIVE-12688
>                 URL: https://issues.apache.org/jira/browse/HIVE-12688
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 1.3.0, 2.0.0
>            Reporter: Thejas M Nair
>            Assignee: Thejas M Nair
>            Priority: Blocker
>         Attachments: HIVE-12688.1.patch
>
>
> HIVE-11826 makes a change to restrict connections to metastore to users who 
> belong to groups under 'hadoop.proxyuser.hive.groups'.
> That property was only a meant to be a hadoop property, which controls what 
> users the hive user can impersonate. What this change is doing is to enable 
> use of that to also restrict who can connect to metastore server. This is new 
> functionality, not a bug fix. There is value to this functionality.
> However, this change makes hive unusable in a properly secured cluster. If 
> 'hadoop.proxyuser.hive.hosts' is set to the proper set of hosts that run 
> Metastore and Hiveserver2 (instead of a very open "*"), then users will be 
> able to connect to metastore only from those hosts.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to