hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Koifman (JIRA)" <>
Subject [jira] [Commented] (HIVE-4442) [HCatalog] WebHCat should not override parameter for Queue call
Date Tue, 03 Sep 2013 20:57:52 GMT


Eugene Koifman commented on HIVE-4442:

The point is that UgiFactory creates a proxy user with proper credentials, while UserGroupInformation.createRemoteUser()
works in "simple" security mode...
Generally, in WebHCat a param "user" is determined by Server#getDoAsUser().
If doAs is specified, the user=doAs, otherwise it's the user making the call.

In the HIVE-4442.3.patch StatusDelegator uses UgiFactory to get UserGroupInformation but the
other 2 use UserGroupInformation.createRemoteUser().

So from a security point of view I think Delete/List/StatusDelegator should all use UgiFactory
with "user" as argument.

UserGroupInformation.getLoginUser() will return the user running WebHCat ("hcat" by default).

> [HCatalog] WebHCat should not override parameter for Queue call
> -------------------------------------------------------------------------
>                 Key: HIVE-4442
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HCatalog
>            Reporter: Daniel Dai
>         Attachments: HIVE-4442-1.patch, HIVE-4442-2.patch, HIVE-4442-3.patch
> Currently templeton for the Queue call uses the to filter the results of the
call in addition to the default security.
> Ideally the filter is an optional parameter to the call independent of the security check.
> I would suggest a parameter in addition to GET queue (jobs) give you all the jobs a user
have permission:
> GET queue?showall=true

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message