hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sushanth Sowmyan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-3705) Adding authorization capability to the metastore
Date Tue, 13 Nov 2012 09:51:14 GMT

    [ https://issues.apache.org/jira/browse/HIVE-3705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496067#comment-13496067
] 

Sushanth Sowmyan commented on HIVE-3705:
----------------------------------------

Phabricator review submitted :  https://reviews.facebook.net/D6681

--

HIVE-3705 Enabling authorization from the metastore:

New HiveConf parameters:

hive.security.metastore.authorization.enabled : true/false determining whether or not to do
authorization in the metastore
hive.security.metastore.authorization.manager : The class to load to do metastore-side authorization
hive.security.metastore.authenticator.manager : The class to load to do metastore-side authentication

If the first parameter isn't set, default behaviour of hive in both client-mode and metastore-mode
is not affected, and this is disabled by default.

New Interface :

ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
:
an extension of HiveAuthorizationProvider, except with one more function that allows the metastore
to pass a HMSHandler to it

Modifications of existing classes :

Minor modifications :
ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java :
added ability to instantiate HiveAuth{orization,entication}Providers given HiveConf key to
use
ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java :
changed to account for above

Major modifications :
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
:
refactored to introduce a new HiveProxy that can proxy for either a hive object or a HMSHandler
to perform necessary metadata operations
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
:
refactored most of the functionality into a new class : BitSetCheckedAuthorizationProvider,
which in turn is extended trivially by
DefaultHiveAuthorizationProvider and DefaultHiveMetastoreAuthorizationProvider which implement
small glue functionality to make them
work from the hive client side and from the hive metastore respectively.

New Classes :

ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
:
As discussed above.
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
:
As discussed above.
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
:
An implementation of the Hive Metastore PreEventListener interface that kicks off the metastore-side
authorization
                
> Adding authorization capability to the metastore
> ------------------------------------------------
>
>                 Key: HIVE-3705
>                 URL: https://issues.apache.org/jira/browse/HIVE-3705
>             Project: Hive
>          Issue Type: New Feature
>          Components: Authorization, Metastore
>            Reporter: Sushanth Sowmyan
>         Attachments: HIVE-3705.D6681.1.patch, hivesec_investigation.pdf
>
>
> In an environment where multiple clients access a single metastore, and we want to evolve
hive security to a point where it's no longer simply preventing users from shooting their
own foot, we need to be able to authorize metastore calls as well, instead of simply performing
every metastore api call that's made.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message