hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shreepadma Venugopalan (JIRA)" <>
Subject [jira] [Commented] (HIVE-3720) Expand and standardize authorization in Hive
Date Sat, 01 Dec 2012 01:51:59 GMT


Shreepadma Venugopalan commented on HIVE-3720:

@Namit: The authorization model in this proposal mirrors that of MySQL as closely as possible.
The proposal also documents wherever there is a deviation from MySQL's authorization model.
Since Hive's data model is based on that of MySQL, it would make a lot of sense to base the
authorization model on MySQL's as well. The proposed functionality is not necessarily a superset
of the existing authorization functionality but subsumes some of the existing functionality.
While the existing implementation supports authorization on some HiveQL operations, it doesn't
secure all of the operations, provide a way to bootstrap the system etc. This proposal expands
authorization to all HiveQL operations and direct metadata operations that can be performed
by invoking the metastore Thrift API. 

As discussed earlier, since the proposed model standardizes the authorization model to mirror
that of MySQL, it deviates from the existing model where ever the existing implementation
deviates from the authorization model of MySQL or other RDBMSs. The proposed model is also
more fine grained and supports hierarchical privileges much like an RDBMS. For instance, the
proposed model supports CREATE, ALTER, DROP privileges on objects whereas the current model
supports an ALTER_METADATA privilege that includes the privileges needed to perform CREATE,
ALTER, DROP etc. Note that one of the goals is to propose an authorization model such that
finer grained privileges can be added in as necessary later. 

Since the existing implementation is not complete, it unclear at this point what part of the
functionality has been completely implemented. Perhaps we can mark the existing functionality
in the wiki once we start implementing the proposed model. Thanks.
> Expand and standardize authorization in Hive
> --------------------------------------------
>                 Key: HIVE-3720
>                 URL:
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authorization
>    Affects Versions: 0.9.0
>            Reporter: Shreepadma Venugopalan
>            Assignee: Shreepadma Venugopalan
>         Attachments: Hive_Authorization_Functionality.pdf
> The existing implementation of authorization in Hive is not complete. Additionally the
existing implementation has security holes. This JIRA is an umbrella JIRA  for a) extending
authorization to all SQL operations and direct metadata operations, and b) standardizing the
authorization model and its semantics to mirror that of MySQL as closely as possible.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message