hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-4984) hive metastore should not re-use hadoop proxy configuration
Date Fri, 02 Aug 2013 02:19:48 GMT

     [ https://issues.apache.org/jira/browse/HIVE-4984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Thejas M Nair updated HIVE-4984:
--------------------------------

    Component/s: Security
    
> hive metastore should not re-use hadoop proxy configuration
> -----------------------------------------------------------
>
>                 Key: HIVE-4984
>                 URL: https://issues.apache.org/jira/browse/HIVE-4984
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore, Security
>    Affects Versions: 0.12.0
>            Reporter: Thejas M Nair
>
> Hive metastore supports proxyuser/doas functionality like hadoop [1].
> Metastore allows anybody who has proxyuser privileges in core-site.xml, to be a metastore
proxy user.
> This is a bad from a security perspective, because when a user is made proxy user for
hadoop, it gets automatic privilege as proxy user for metastore as well.
> The more secure approach is to use metastore specific config parameters, like what oozie
does. [2]
> [1] http://hadoop.apache.org/docs/stable/Secure_Impersonation.html
> [2] http://oozie.apache.org/docs/3.2.0-incubating/AG_Install.html#User_ProxyUser_Configuration

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message