?Yes. That's right. In secure mode, the streaming connection will set hive.metastore.sasl.enabled to true which will create an UGI assuming transport so all thrift calls are done using logged in user.
Thanks and Regards Prasanth Jayachandran ________________________________ From: Stig Rohde Døssing <[email protected]> Sent: Wednesday, March 13, 2019 12:44 AM To: [email protected] Subject: Re: Hive-streaming security Thanks Prasanth. Is the automatic authentication a property of the underlying MetaStoreClient? Den ons. 13. mar. 2019 kl. 08.34 skrev Prasanth Jayachandran <[email protected]<mailto:[email protected]>>: Hi If you are logged in, the hive streaming ingest API will use doAs for all metastore calls automatically using the logged in user. Thanks and Regards Prasanth Jayachandran ________________________________ From: Stig Rohde Døssing <[email protected]<mailto:[email protected]>> Sent: Wednesday, March 13, 2019 12:19 AM To: [email protected]<mailto:[email protected]> Subject: Re: Hive-streaming security Sorry, should have looked harder. The docs say to log in before invoking the API. I think this means I should be wrapping calls with doAs? Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <[email protected]<mailto:[email protected]>>: Hi, The hive-hcatalog-streaming client (HiveEndpoint) took a UserGroupInformation in the constructor for connections, and automatically wrapped calls as necessary with UserGroupInformation.doAs. I'm migrating an application from hive-hcatalog-streaming to hive-streaming. There's no mention of security at https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2, and I don't see any doAs in the code. Should I manually wrap calls to HiveStreamingConnection with doAs, or is this handled by the new client? If so, is there a list of calls that should be wrapped?
