[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16063660#comment-16063660 ]
Vaibhav Gumashta commented on HIVE-16905: ----------------------------------------- [~txhsj] Thanks a lot for the patch and the document. In your patch, it appears that you are improving the unsecure cluster case. The current model is as follows: in a secure cluster (with kerberos), the znode for HiveServer2 is created with the ACLs: Read permission to everyone (the JDBC client needs this) and Create/Delete/Write/Admin to the SASL authenticated HiveServer2 user. In an unsecure cluster, the znode for HiveServer2 is created with Read/Create/Delete/Write/Admin access to all users. I have a few questions: what are the other authentication modes you plan to support with this (can you give an example)? How will that affect the interaction between JDBC - ZooKeeper and HiveServer2 - ZooKeeper? Also, in ZooKeeperHiveClientHelper, you are reading the config from Server's HiveConf. However, on the remote JDBC client machine, we do not have access to the Server's hive-site.xml (we also don't want JDBC client to depend on HiveConf - typically any configuration needed on the client side are passed through the JDBC connection string and dealt with appropriately in the JDBC driver - for example check how we pass the ZooKeeper namespace for HiveServer2 via the connection string). > Add zookeeper ACL for hiveserver2 > --------------------------------- > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature > Affects Versions: 3.0.0 > Reporter: Saijin Huang > Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > ------------------ > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > ----------------- > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)