Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@hive.apache.org
Date: Tue, 5 Apr 2011 21:27:05 +0000 (UTC)
From: "jiraposter@reviews.apache.org (JIRA)" <jira@apache.org>
To: hive-dev@hadoop.apache.org
Message-ID: 
 <434903309.36013.1302038825928.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <634735947.14653.1297683957461.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (HIVE-1988) Make the delegation token issued by
 the MetaStore owned by the right user
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HIVE-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13016129#comment-13016129 ] 

jiraposter@reviews.apache.org commented on HIVE-1988:
-----------------------------------------------------


bq.  On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq.  > http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java, line 152
bq.  > <https://reviews.apache.org/r/528/diff/2/?file=14844#file14844line152>
bq.  >
bq.  >     HadoopShims.isSecureShimImpl() is not called anywhere else. Shall we remove it if not required anymore?

I suggest we leave it there. This seems like a useful method, and I am actually using it in another patch.


bq.  On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq.  > http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java, lines 144-156
bq.  > <https://reviews.apache.org/r/528/diff/2/?file=14850#file14850line144>
bq.  >
bq.  >     Do you want to move this into setup(), as it is common in both testcases?

Done


bq.  On 2011-04-05 07:52:15, Amareshwari Sriramadasu wrote:
bq.  > http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java, lines 192-209
bq.  > <https://reviews.apache.org/r/528/diff/2/?file=14850#file14850line192>
bq.  >
bq.  >     code looks duplicated. Can it be refactored by passing group names to a method?

Done


- Devaraj


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/528/#review386
-----------------------------------------------------------


On 2011-03-29 10:26:38, Devaraj Das wrote:
bq.  
bq.  -----------------------------------------------------------
bq.  This is an automatically generated e-mail. To reply, visit:
bq.  https://reviews.apache.org/r/528/
bq.  -----------------------------------------------------------
bq.  
bq.  (Updated 2011-03-29 10:26:38)
bq.  
bq.  
bq.  Review request for hive.
bq.  
bq.  
bq.  Summary
bq.  -------
bq.  
bq.  Fixes to some security issues discussed in HIVE-1988
bq.  
bq.  
bq.  This addresses bug HIVE-1988.
bq.      https://issues.apache.org/jira/browse/HIVE-1988
bq.  
bq.  
bq.  Diffs
bq.  -----
bq.  
bq.    http://svn.apache.org/repos/asf/hive/trunk/metastore/if/hive_metastore.thrift 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 1085623 
bq.    http://svn.apache.org/repos/asf/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java 1085623 
bq.  
bq.  Diff: https://reviews.apache.org/r/528/diff
bq.  
bq.  
bq.  Testing
bq.  -------
bq.  
bq.  New unit test added and that passes. All unit tests passed.
bq.  
bq.  
bq.  Thanks,
bq.  
bq.  Devaraj
bq.  
bq.


> Make the delegation token issued by the MetaStore owned by the right user
> -------------------------------------------------------------------------
>
>                 Key: HIVE-1988
>                 URL: https://issues.apache.org/jira/browse/HIVE-1988
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore, Security, Server Infrastructure
>    Affects Versions: 0.7.0
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.8.0
>
>         Attachments: hive-1988-3.patch, hive-1988.patch
>
>
> The 'owner' of any delegation token issued by the MetaStore is set to the requesting user. When a delegation token is asked by the user himself during a job submission, this is fine. However, in the case where the token is requested for by services (e.g., Oozie), on behalf of the user, the token's owner is set to the user the service is running as. Later on, when the token is used by a MapReduce task, the MetaStore treats the incoming request as coming from Oozie and does operations as Oozie. This means any new directory creations (e.g., create_table) on the hdfs by the MetaStore will end up with Oozie as the owner.
> Also, the MetaStore doesn't check whether a user asking for a token on behalf of some other user, is actually authorized to act on behalf of that other user. We should start using the ProxyUser authorization in the MetaStore (HADOOP-6510's APIs).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira