Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6AEA19122 for ; Thu, 16 Feb 2012 22:33:24 +0000 (UTC) Received: (qmail 58029 invoked by uid 500); 16 Feb 2012 22:33:24 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 57979 invoked by uid 500); 16 Feb 2012 22:33:24 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 57971 invoked by uid 500); 16 Feb 2012 22:33:23 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 57968 invoked by uid 99); 16 Feb 2012 22:33:23 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2012 22:33:23 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2012 22:33:21 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 9A8321BB5D1 for ; Thu, 16 Feb 2012 22:33:00 +0000 (UTC) Date: Thu, 16 Feb 2012 22:33:00 +0000 (UTC) From: "Enis Soztutar (Created) (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: <4947439.48487.1329431580634.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Created] (HIVE-2809) StorageHandler authorization providers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org StorageHandler authorization providers -------------------------------------- Key: HIVE-2809 URL: https://issues.apache.org/jira/browse/HIVE-2809 Project: Hive Issue Type: New Feature Affects Versions: 0.9.0 Reporter: Enis Soztutar Assignee: Enis Soztutar In this issue, we would like to discuss the possibility of supplementing the Hive authorization model with authorization at the storage level. As discussed in HIVE-1943, Hive should also check for operation permissions in hdfs and hbase, since otherwise, data and metadata can be in an inconsistent state or be orphaned. Going a step further, some of the setups might not need the full featured auth model by Hive, but want to rely on managing the permissions at the data layer. In this model, the metadata operations are checked first from hdfs/hbase and it is allowed only if they are allowed at the data layer. The semantics are documented at https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design. So, the goals of this issue are: - Port storage handler specific authorization providers, and the StorageDelegationAuthorizationProvider from HCATALOG-245 and HCATALOG-260 to Hive. - Keep current Hive's default authorization provider, and enable user to use this and/or the storage one. auth providers are already configurable. - Move the manual checks that had to be performed about authorization in Hcat to Hive, specifically: -- CREATE DATABASE/TABLE, ADD PARTITION statements does not call HiveAuthorizationProvider.authorize() with the candidate objects, which means that we cannot do checks against defined LOCATION. -- HiveOperation does not define sufficient Privileges for most of the operations, especially database operations. -- For some of the operations, Hive SemanticAnalyzer does not add the changed object as a WriteEntity or ReadEntity. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira