hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Mujumdar (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-5987) The secure metastore service should reject connection from users that it can't impersonate
Date Mon, 09 Dec 2013 07:11:06 GMT
Prasad Mujumdar created HIVE-5987:
-------------------------------------

             Summary: The secure metastore service should reject connection from users that
it can't impersonate
                 Key: HIVE-5987
                 URL: https://issues.apache.org/jira/browse/HIVE-5987
             Project: Hive
          Issue Type: Bug
          Components: Metastore, Security
    Affects Versions: 0.12.0
            Reporter: Prasad Mujumdar
            Assignee: Prasad Mujumdar


The secure metastore always doesn't allow any client to connect without a valid kerberos ticket.
Also the client requests are executed by impersonating the requesting userid. If metastore
principal doesn't have privileges to impersonate the connecting user, then the DDL operations
(eg create table, partition etc) will fail. However any user with valid Kerberos ticket is
can connect to metastore service and perform read-only metadata operations. For example, get
list of databases, tables; properties of each table like HDFS location, file type etc.
The secure metastore behavior should be consistent. If a the metastore server doesn't have
privileges to impersonate the connecting user, then it should reject connection.




--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message