hadoop-hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Sichi <jsi...@facebook.com>
Subject Fwd: [howldev] Initial thoughts on authorization in howl
Date Wed, 28 Jul 2010 21:21:56 GMT
Begin forwarded message:

From: Pradeep Kamath <pradeepk@yahoo-inc.com<mailto:pradeepk@yahoo-inc.com>>
Date: July 27, 2010 4:38:42 PM PDT
To: <howldev@yahoogroups.com<mailto:howldev@yahoogroups.com>>
Subject: [howldev] Initial thoughts on authorization in howl
Reply-To: <howldev@yahoogroups.com<mailto:howldev@yahoogroups.com>>



The initial thoughts on authorization in howl are to model authorization (for DDL ops like
create table/drop table/add partition etc) after hdfs permissions. To be able to do this,
we would like to extend createTable() to add the ability to record a different group from
the user’s primary group and to record the complete unix permissions on the table directory.
Also, we would like to have a way for partition directories to inherit permissions and group
information based on the table directory. To keep the metastore backward compatible for use
with hive, I propose having conf variables to achieve these objectives:
-          table.group.name<http://table.group.name> – value will indicate the name
of the unix group for the table directory. This will be used by createTable() to perform a
chgrp to the value provided. This property will provide the user the ability to choose from
one of the many unix groups he is part of to associate with the table.
-          table.permissions – value will be of the form rwxrwxrwx to indicate read-write-execute
permissions on the table directory. This will be used by createTable() to perform a chmod
to the value provided. This will let the user decide what permissions he wants on the table.
-          partitions.inherit.permissions – a value of true will indicate that partitions
inherit the group name and permissions of the table level directory. This will be used by
addPartition() to perform a chgrp and chmod to the values as on the table directory.

I favor conf properties over API changes since the complete authorization design for hive
is not finalized yet. These properties can be deprecated/removed when that is in place. These
properties would also be useful to some installation of vanilla hive since at least DFS level
authorization can now be achieved by hive without the user having to manually perform chgrp
and chmod operations on DFS.

I would like to hear from hive developers/committers whether this would be acceptable for
hive and also thoughts from others.

Pradeep



__._,_.___


Your email settings: Individual Email|Traditional
Change settings via the Web<http://groups.yahoo.com/group/howldev/join;_ylc=X3oDMTJnZXE5ZHNwBF9TAzk3NDc2NTkwBGdycElkAzYzNDIwNTA4BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDZnRyBHNsawNzdG5ncwRzdGltZQMxMjgwMjczOTQ2>
(Yahoo! ID required)
Change settings via email: Switch delivery to Daily Digest<mailto:howldev-digest@yahoogroups.com?subject=Email%20Delivery:%20Digest>
| Switch to Fully Featured<mailto:howldev-fullfeatured@yahoogroups.com?subject=Change%20Delivery%20Format:%20Fully%20Featured>
Visit Your Group <http://groups.yahoo.com/group/howldev;_ylc=X3oDMTJlOWw0Y3F0BF9TAzk3NDc2NTkwBGdycElkAzYzNDIwNTA4BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDZnRyBHNsawNocGYEc3RpbWUDMTI4MDI3Mzk0Ng-->
| Yahoo! Groups Terms of Use <http://docs.yahoo.com/info/terms/> | Unsubscribe <mailto:howldev-unsubscribe@yahoogroups.com?subject=Unsubscribe>

__,_._,___


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message