hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phabricator (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-3705) Adding authorization capability to the metastore
Date Tue, 13 Nov 2012 09:51:14 GMT

     [ https://issues.apache.org/jira/browse/HIVE-3705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Phabricator updated HIVE-3705:
------------------------------

    Attachment: HIVE-3705.D6681.1.patch

khorgath requested code review of "HIVE-3705 [jira] Adding authorization capability to the
metastore".
Reviewers: JIRA

  HIVE-3705 Enabling authorization from the metastore:

  New HiveConf parameters:

  	hive.security.metastore.authorization.enabled : true/false determining whether or not to
do authorization in the metastore
  	hive.security.metastore.authorization.manager : The class to load to do metastore-side
authorization
  	hive.security.metastore.authenticator.manager : The class to load to do metastore-side
authentication

  If the first parameter isn't set, default behaviour of hive in both client-mode and metastore-mode
is not affected, and this is disabled by default.

  New Interface :

  	ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
:
  		an extension of HiveAuthorizationProvider, except with one more function that allows the
metastore to pass a HMSHandler to it

  Modifications of existing classes :

  	Minor modifications :
  		ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java :
  			added ability to instantiate HiveAuth{orization,entication}Providers given HiveConf key
to use
  		ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java :
  			changed to account for above

  	Major modifications :
  		ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
:
  			refactored to introduce a new HiveProxy that can proxy for either a hive object or a
HMSHandler to perform necessary metadata operations
  		ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
:
  			refactored most of the functionality into a new class : BitSetCheckedAuthorizationProvider,
which in turn is extended trivially by
  			DefaultHiveAuthorizationProvider and DefaultHiveMetastoreAuthorizationProvider which
implement small glue functionality to make them
  			work from the hive client side and from the hive metastore respectively.

  New Classes :

  	ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
:
  		As discussed above.
  	ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
:
  		As discussed above.
  	ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
:
  		An implementation of the Hive Metastore PreEventListener interface that kicks off the
metastore-side authorization

TEST PLAN
  Following testcases added :
  	ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
  	ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
  	ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java

  In an environment where multiple clients access a single metastore, and we want to evolve
hive security to a point where it's no longer simply preventing users from shooting their
own foot, we need to be able to authorize metastore calls as well, instead of simply performing
every metastore api call that's made.

REVISION DETAIL
  https://reviews.facebook.net/D6681

AFFECTED FILES
  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
  conf/hive-default.xml.template
  ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
  ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
  ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
  ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
  ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java

MANAGE HERALD DIFFERENTIAL RULES
  https://reviews.facebook.net/herald/view/differential/

WHY DID I GET THIS EMAIL?
  https://reviews.facebook.net/herald/transcript/15915/

To: JIRA, khorgath

                
> Adding authorization capability to the metastore
> ------------------------------------------------
>
>                 Key: HIVE-3705
>                 URL: https://issues.apache.org/jira/browse/HIVE-3705
>             Project: Hive
>          Issue Type: New Feature
>          Components: Authorization, Metastore
>            Reporter: Sushanth Sowmyan
>         Attachments: HIVE-3705.D6681.1.patch, hivesec_investigation.pdf
>
>
> In an environment where multiple clients access a single metastore, and we want to evolve
hive security to a point where it's no longer simply preventing users from shooting their
own foot, we need to be able to authorize metastore calls as well, instead of simply performing
every metastore api call that's made.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message