hadoop-hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HIVE-842) Authentication Infrastructure for Hive
Date Thu, 23 Sep 2010 23:51:38 GMT

    [ https://issues.apache.org/jira/browse/HIVE-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914281#action_12914281
] 

Todd Lipcon commented on HIVE-842:
----------------------------------

I have this basically working. A couple questions I wanted to run by people before posting
a patch:

- Should the metastore always take HDFS actions as the user making the RPC? Or, for example,
with a create table call, should it act as the "owner" specified in the thrift call regardless
of the authenticated user? If the latter, what authorization mechanism do we need? (ie is
there a use case where user A can make tables on behalf of user B?)

- Are there any metastore operations that should be done as a metastore principal, or should
all HDFS access be done as the authenticated user?

- If we see that Hadoop Security is enabled, should we enable SASL on the metastore thrift
server by default? If SASL-thrift is not enabled, what user should the metastore act as? In
other words, should there be an option whereby the metastore uses a keytab to authenticate
to HDFS, but doesn't require users to authenticate to it?


> Authentication Infrastructure for Hive
> --------------------------------------
>
>                 Key: HIVE-842
>                 URL: https://issues.apache.org/jira/browse/HIVE-842
>             Project: Hadoop Hive
>          Issue Type: New Feature
>          Components: Server Infrastructure
>            Reporter: Edward Capriolo
>            Assignee: Todd Lipcon
>         Attachments: HiveSecurityThoughts.pdf
>
>
> This issue deals with the authentication (user name,password) infrastructure. Not the
authorization components that specify what a user should be able to do.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message