[
https://issues.apache.org/jira/browse/HIVE-12429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15094911#comment-15094911
]
Sushanth Sowmyan commented on HIVE-12429:
-----------------------------------------
Hi Daniel,
The change looks mostly good. I have one concern though :
{code}
final class HCatAuthUtil {
public static boolean isAuthorizationEnabled(Configuration conf) {
@@ -31,6 +31,7 @@ public static boolean isAuthorizationEnabled(Configuration
conf) {
// additional checks if a V2 authorizer is in use. The reccomended
configuration is to
// use storage based authorization in metastore server
return HiveConf.getBoolVar(conf,
HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)
- && SessionState.get().getAuthorizer() != null;
+ && HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)
+ == StorageBasedAuthorizationProvider.class.getName();
}
}
{code}
Basically, the implication seems to be that if a user sets an authorization
apart from SBAP, HCat will then read this as "authorization is not enabled",
and proceed without doing any authorization. I think that's a bit dangerous, in
that a user might think that authorization is happening, but in the background,
we ignore that setting. I think it would be better to do something like
throwing the equivalent of an UnsupportedOperationException (in a HCatException
if need be) if a user specifies some other auth.
Also, while we're disabling the old Hive Auth, and we know that v2 auths are
not supported here, there might be a possibility that users may have their own
custom authorization provider that they're using that would be compatible. It
might make sense, in that case, to still allow that use. So, I would say that
another possible interpretation would be to do the following:
a) return false if an authorizer is not configured - i.e. if
HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED is false.
b) If HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED is true, then:
i) return true if SBAP is used.
ii) if a certain other (new) config flag is used that signals explicit
intent by user to use non-SBAP authorization, return true.
iii) throw exception.
If this seems overly complex and unnecessary, then let's leave out the (ii)
part, and simply throw an exception if an authorizer is configured, but it's
not SBAP - but we do that with the understanding that we're basically stating
that third party auth will not work with HCat, even if it's a SBAP-equivalent.
Thoughts?
> Switch default Hive authorization to SQLStandardAuth in 2.0
> -----------------------------------------------------------
>
> Key: HIVE-12429
> URL: https://issues.apache.org/jira/browse/HIVE-12429
> Project: Hive
> Issue Type: Task
> Components: Authorization, Security
> Affects Versions: 2.0.0
> Reporter: Alan Gates
> Assignee: Daniel Dai
> Attachments: HIVE-12429.1.patch, HIVE-12429.10.patch,
> HIVE-12429.11.patch, HIVE-12429.12.patch, HIVE-12429.13.patch,
> HIVE-12429.14.patch, HIVE-12429.15.patch, HIVE-12429.16.patch,
> HIVE-12429.2.patch, HIVE-12429.3.patch, HIVE-12429.4.patch,
> HIVE-12429.5.patch, HIVE-12429.6.patch, HIVE-12429.7.patch,
> HIVE-12429.8.patch, HIVE-12429.9.patch
>
>
> Hive's default authorization is not real security, as it does not secure a
> number of features and anyone can grant access to any object to any user. We
> should switch the default to SQLStandardAuth, which provides real
> authentication.
> As this is a backwards incompatible change this was hard to do previously,
> but 2.0 gives us a place to do this type of change.
> By default authorization will still be off, as there are a few other things
> to set when turning on authorization (such as the list of admin users).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
