hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amareshwari Sriramadasu (JIRA)" <>
Subject [jira] [Commented] (HIVE-1988) Make the delegation token issued by the MetaStore owned by the right user
Date Tue, 05 Apr 2011 07:56:05 GMT


Amareshwari Sriramadasu commented on HIVE-1988:

Changes look good overall. I updated the review board with some minor comments. You can upload
the next patch with generated code.

> Make the delegation token issued by the MetaStore owned by the right user
> -------------------------------------------------------------------------
>                 Key: HIVE-1988
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore, Security, Server Infrastructure
>    Affects Versions: 0.7.0
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.8.0
>         Attachments: hive-1988-3.patch, hive-1988.patch
> The 'owner' of any delegation token issued by the MetaStore is set to the requesting
user. When a delegation token is asked by the user himself during a job submission, this is
fine. However, in the case where the token is requested for by services (e.g., Oozie), on
behalf of the user, the token's owner is set to the user the service is running as. Later
on, when the token is used by a MapReduce task, the MetaStore treats the incoming request
as coming from Oozie and does operations as Oozie. This means any new directory creations
(e.g., create_table) on the hdfs by the MetaStore will end up with Oozie as the owner.
> Also, the MetaStore doesn't check whether a user asking for a token on behalf of some
other user, is actually authorized to act on behalf of that other user. We should start using
the ProxyUser authorization in the MetaStore (HADOOP-6510's APIs).

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message