[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[
https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1971#comment-1971
]
Karthik Manamcheri commented on HIVE-20776:
---
Should we then do the filtering both on client AND server side, instead of just
moving it?
{quote} HMS doesn't really know who the end-user is.
{quote}
HMS uses the hadoop proxy user system to know the end-user, no? This is how
Spark interacts with HMS. Spark sets the hadoop proxy user and HMS knows the
end-user through that. Why not use the same mechanism from HS2?
> Move HMS filterHooks from client-side to server-side
>
>
> Key: HIVE-20776
> URL: https://issues.apache.org/jira/browse/HIVE-20776
> Project: Hive
> Issue Type: Improvement
> Components: Standalone Metastore
>Reporter: Karthik Manamcheri
>Assignee: Karthik Manamcheri
>Priority: Major
>
> In HMS, I noticed that all the filter hooks are applied on the client side
> (in HiveMetaStoreClient.java). Is there any reason why we can't apply the
> filters on the server-side?
> Motivation: Some newer apache projects such as Kudu use HMS for metadata
> storage. Kudu is not completely Java-based and there are interaction points
> where they have C++ clients. In such cases, it would be ideal to have
> consistent behavior from HMS side as far as filters, etc are concerned.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[ https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16661367#comment-16661367 ] Vihang Karajgaonkar commented on HIVE-20776: Not when impersonation is turned OFF. It will always show UGI as hive in that case AFAIK > Move HMS filterHooks from client-side to server-side > > > Key: HIVE-20776 > URL: https://issues.apache.org/jira/browse/HIVE-20776 > Project: Hive > Issue Type: Improvement > Components: Standalone Metastore >Reporter: Karthik Manamcheri >Assignee: Karthik Manamcheri >Priority: Major > > In HMS, I noticed that all the filter hooks are applied on the client side > (in HiveMetaStoreClient.java). Is there any reason why we can't apply the > filters on the server-side? > Motivation: Some newer apache projects such as Kudu use HMS for metadata > storage. Kudu is not completely Java-based and there are interaction points > where they have C++ clients. In such cases, it would be ideal to have > consistent behavior from HMS side as far as filters, etc are concerned. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[ https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16661303#comment-16661303 ] Karthik Manamcheri commented on HIVE-20776: --- [~vihangk1] hmm This should work if we use Kerberos and pick up the UGI information from the environment yes? > Move HMS filterHooks from client-side to server-side > > > Key: HIVE-20776 > URL: https://issues.apache.org/jira/browse/HIVE-20776 > Project: Hive > Issue Type: Improvement > Components: Standalone Metastore >Reporter: Karthik Manamcheri >Assignee: Karthik Manamcheri >Priority: Major > > In HMS, I noticed that all the filter hooks are applied on the client side > (in HiveMetaStoreClient.java). Is there any reason why we can't apply the > filters on the server-side? > Motivation: Some newer apache projects such as Kudu use HMS for metadata > storage. Kudu is not completely Java-based and there are interaction points > where they have C++ clients. In such cases, it would be ideal to have > consistent behavior from HMS side as far as filters, etc are concerned. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[
https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16657168#comment-16657168
]
Vihang Karajgaonkar commented on HIVE-20776:
Are you talking about {{MetaStoreFilterHook}} implementations? Looks like the
original motivation of these hooks were authorization plugins on the HS2
(client side). If you read the javadoc on the interface, it makes more sense.
{quote}/**
* Metadata filter hook for metastore client. This will be useful for
authorization
* plugins on hiveserver2 to filter metadata results, especially in case of
* non-impersonation mode where the metastore doesn't know the end user's
identity.
*/{quote}
When impersonation is turned OFF (default on secure setups on some
distributions), HMS doesn't really know who the end-user is. And hence it is
hard to implement a authorization policy based on UGI of the end-user. The only
way to enforce such a authorization policy would be on the client side where we
know who is the end-user executing the request.
> Move HMS filterHooks from client-side to server-side
>
>
> Key: HIVE-20776
> URL: https://issues.apache.org/jira/browse/HIVE-20776
> Project: Hive
> Issue Type: Improvement
> Components: Standalone Metastore
>Reporter: Karthik Manamcheri
>Assignee: Karthik Manamcheri
>Priority: Major
>
> In HMS, I noticed that all the filter hooks are applied on the client side
> (in HiveMetaStoreClient.java). Is there any reason why we can't apply the
> filters on the server-side?
> Motivation: Some newer apache projects such as Kudu use HMS for metadata
> storage. Kudu is not completely Java-based and there are interaction points
> where they have C++ clients. In such cases, it would be ideal to have
> consistent behavior from HMS side as far as filters, etc are concerned.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[ https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16656662#comment-16656662 ] Peter Vary commented on HIVE-20776: --- I would very much support such a change. > Move HMS filterHooks from client-side to server-side > > > Key: HIVE-20776 > URL: https://issues.apache.org/jira/browse/HIVE-20776 > Project: Hive > Issue Type: Improvement > Components: Standalone Metastore >Reporter: Karthik Manamcheri >Assignee: Karthik Manamcheri >Priority: Major > > In HMS, I noticed that all the filter hooks are applied on the client side > (in HiveMetaStoreClient.java). Is there any reason why we can't apply the > filters on the server-side? > Motivation: Some newer apache projects such as Kudu use HMS for metadata > storage. Kudu is not completely Java-based and there are interaction points > where they have C++ clients. In such cases, it would be ideal to have > consistent behavior from HMS side as far as filters, etc are concerned. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[ https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16656466#comment-16656466 ] Karthik Manamcheri commented on HIVE-20776: --- [~prasadm] You had worked on [HIVE-8612|https://issues.apache.org/jira/browse/HIVE-8612] originally. Any reason why the filters were implemented on the client-side and not on the server-side? > Move HMS filterHooks from client-side to server-side > > > Key: HIVE-20776 > URL: https://issues.apache.org/jira/browse/HIVE-20776 > Project: Hive > Issue Type: Improvement > Components: Standalone Metastore >Reporter: Karthik Manamcheri >Assignee: Karthik Manamcheri >Priority: Major > > In HMS, I noticed that all the filter hooks are applied on the client side > (in HiveMetaStoreClient.java). Is there any reason why we can't apply the > filters on the server-side? > Motivation: Some newer apache projects such as Kudu use HMS for metadata > storage. Kudu is not completely Java-based and there are interaction points > where they have C++ clients. In such cases, it would be ideal to have > consistent behavior from HMS side as far as filters, etc are concerned. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HIVE-20776) Move HMS filterHooks from client-side to server-side
[ https://issues.apache.org/jira/browse/HIVE-20776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16656461#comment-16656461 ] Karthik Manamcheri commented on HIVE-20776: --- cc [~vihangk1] [~pvary] [~akolb] thoughts? > Move HMS filterHooks from client-side to server-side > > > Key: HIVE-20776 > URL: https://issues.apache.org/jira/browse/HIVE-20776 > Project: Hive > Issue Type: Improvement > Components: Metastore, Standalone Metastore >Reporter: Karthik Manamcheri >Assignee: Karthik Manamcheri >Priority: Major > > In HMS, I noticed that all the filter hooks are applied on the client side > (in HiveMetaStoreClient.java). Is there any reason why we can't apply the > filters on the server-side? > Motivation: Some newer apache projects such as Kudu use HMS for metadata > storage. Kudu is not completely Java-based and there are interaction points > where they have C++ clients. In such cases, it would be ideal to have > consistent behavior from HMS side as far as filters, etc are concerned. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
