hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devaraj Das (JIRA)" <j...@apache.org>
Subject [jira] Created: (HIVE-1988) Make the delegation token issued by the MetaStore owned by the right user
Date Mon, 14 Feb 2011 11:45:57 GMT
Make the delegation token issued by the MetaStore owned by the right user
-------------------------------------------------------------------------

                 Key: HIVE-1988
                 URL: https://issues.apache.org/jira/browse/HIVE-1988
             Project: Hive
          Issue Type: Bug
          Components: Metastore, Security, Server Infrastructure
    Affects Versions: 0.7.0
            Reporter: Devaraj Das
             Fix For: 0.7.0


The 'owner' of any delegation token issued by the MetaStore is set to the requesting user.
When a delegation token is asked by the user himself during a job submission, this is fine.
However, in the case where the token is requested for by services (e.g., Oozie), on behalf
of the user, the token's owner is set to the user the service is running as. Later on, when
the token is used by a MapReduce task, the MetaStore treats the incoming request as coming
from Oozie and does operations as Oozie. This means any new directory creations (e.g., create_table)
on the hdfs by the MetaStore will end up with Oozie as the owner.

Also, the MetaStore doesn't check whether a user asking for a token on behalf of some other
user, is actually authorized to act on behalf of that other user. We should start using the
ProxyUser authorization in the MetaStore (HADOOP-6510's APIs).

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message