[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2

Mon, 26 Jun 2017 12:52:14 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16063660#comment-16063660
 ] 

Vaibhav Gumashta commented on HIVE-16905:
-----------------------------------------

[~txhsj] Thanks a lot for the patch and the document. 

In your patch, it appears that you are improving the unsecure cluster case. The 
current model is as follows: in a secure cluster (with kerberos), the znode for 
HiveServer2 is created with the ACLs: Read permission to everyone (the JDBC 
client needs this) and Create/Delete/Write/Admin to the SASL authenticated 
HiveServer2 user. In an unsecure cluster, the znode for HiveServer2 is created 
with Read/Create/Delete/Write/Admin access to all users. 

I have a few questions: what are the other authentication modes you plan to 
support with this (can you give an example)? How will that affect the 
interaction between JDBC - ZooKeeper and HiveServer2 - ZooKeeper? Also, in 
ZooKeeperHiveClientHelper, you are reading the config from Server's HiveConf. 
However, on the remote JDBC client machine, we do not have access to the 
Server's hive-site.xml (we also don't want JDBC client to depend on HiveConf - 
typically any configuration needed on the client side are passed through the 
JDBC connection string and dealt with appropriately in the JDBC driver - for 
example check how we pass the ZooKeeper namespace for HiveServer2 via the 
connection string). 

> Add zookeeper ACL for hiveserver2
> ---------------------------------
>
>                 Key: HIVE-16905
>                 URL: https://issues.apache.org/jira/browse/HIVE-16905
>             Project: Hive
>          Issue Type: New Feature
>    Affects Versions: 3.0.0
>            Reporter: Saijin Huang
>            Assignee: Saijin Huang
>         Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf
>
>
> Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode 
> of hiveserver2 deleted by accident.
> ------------------
> case:
> when i do beeline connections throught hive HA with zookeeper, i suddenly 
> find the beeline can not connect the hiveserve2.The reason of the problem is 
> that others delete the /hiveserver2 falsely which cause to the beeline 
> connection is failed and can not read the configs from zookeeper.
> -----------------
> as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa 
> which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is 
> unsafe and necessary to protect the znode /hiveserver2.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to