hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Koifman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-4442) [HCatalog] WebHCat should not override user.name parameter for Queue call
Date Tue, 03 Sep 2013 20:57:52 GMT

    [ https://issues.apache.org/jira/browse/HIVE-4442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13757061#comment-13757061
] 

Eugene Koifman commented on HIVE-4442:
--------------------------------------

The point is that UgiFactory creates a proxy user with proper credentials, while UserGroupInformation.createRemoteUser()
works in "simple" security mode...
Generally, in WebHCat a param "user" is determined by Server#getDoAsUser().
If doAs is specified, the user=doAs, otherwise it's the user making the call.

In the HIVE-4442.3.patch StatusDelegator uses UgiFactory to get UserGroupInformation but the
other 2 use UserGroupInformation.createRemoteUser().

So from a security point of view I think Delete/List/StatusDelegator should all use UgiFactory
with "user" as argument.

UserGroupInformation.getLoginUser() will return the user running WebHCat ("hcat" by default).



                
> [HCatalog] WebHCat should not override user.name parameter for Queue call
> -------------------------------------------------------------------------
>
>                 Key: HIVE-4442
>                 URL: https://issues.apache.org/jira/browse/HIVE-4442
>             Project: Hive
>          Issue Type: Bug
>          Components: HCatalog
>            Reporter: Daniel Dai
>         Attachments: HIVE-4442-1.patch, HIVE-4442-2.patch, HIVE-4442-3.patch
>
>
> Currently templeton for the Queue call uses the user.name to filter the results of the
call in addition to the default security.
> Ideally the filter is an optional parameter to the call independent of the security check.
> I would suggest a parameter in addition to GET queue (jobs) give you all the jobs a user
have permission:
> GET queue?showall=true

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message