hadoop-hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Edward Capriolo (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HIVE-78) Authentication infrastructure for Hive
Date Thu, 17 Sep 2009 22:19:58 GMT

    [ https://issues.apache.org/jira/browse/HIVE-78?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12756817#action_12756817
] 

Edward Capriolo commented on HIVE-78:
-------------------------------------

@namit,

I think, I can explain why AS made sense at the time. My plan was not to decouple users from
a rule. See my little patch.

{noformat}
+struct AccessControl {
+  1: list<string>	user,
+  2: list<string>	group,
+  3: list<string>	database,
+  4: list<string>	table,
+  5: list<string>	partition,
+  6: list<string>	column,
+  7: list<string>	priv,
+  8: string		name
+}
{noformat}

I wanted to be more or less immutable or support really simple syntax.

Something like this is doable
{noformat}
GRANT my_permission to USER3;
{noformat}
But it seems to imply that users are decoupled from the rule. 
This is really not true (in my design) a user or group is just another multivalued attribute
of the rule. 

I would like the format to be inter-changable 
{noformat}
ALTER my_permission add db 'db';
ALTER my_permission add table 'db.table';
ALTER my_permission drop table 'db.table';
{noformat}

@Min,
Above in this Jira see Ashish's comment..

{noformat}
I agree, it is best to punt authentication to the authentication systems (LDAP, kerb etc.
etc.) and concentrate on authorization (privileges) here. 
{noformat}

The goal here is to trust the User/group information as hadoop does, and create a system that
grants/revokes privileges.  Authentication and Authorization are two separate things so our
Jira is misnamed :)

I will review your patch, just to see what you came up with. As I said, you are farther along
then I am, and this has been off my radar so I don't mind passing the baton, but Namit is
right we have to agree on the syntax because and what we are controlling because down the
road it will be an issue.





> Authentication infrastructure for Hive
> --------------------------------------
>
>                 Key: HIVE-78
>                 URL: https://issues.apache.org/jira/browse/HIVE-78
>             Project: Hadoop Hive
>          Issue Type: New Feature
>          Components: Server Infrastructure
>            Reporter: Ashish Thusoo
>            Assignee: Edward Capriolo
>         Attachments: hive-78-metadata-v1.patch, hive-78-syntax-v1.patch, hive-78.diff
>
>
> Allow hive to integrate with existing user repositories for authentication and authorization
infromation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message