hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-5928) Add a hive authorization plugin api that does not assume privileges needed
Date Tue, 14 Jan 2014 03:51:56 GMT

     [ https://issues.apache.org/jira/browse/HIVE-5928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Thejas M Nair updated HIVE-5928:
--------------------------------

    Description: 
The existing HiveAuthorizationProvider interface implementations can be used to support custom
authorization models.
But this interface limits the customization for these reasons -
1. It has assumptions about the privileges required for an action.
2. It does have not functions that you can implement for having custom ways of doing the actions
of access control statements.

This jira proposes a new interface HiveAuthorizer that does not make assumptions of the privileges
required for the actions. The authorize() functions will be equivalent of authorize(<operation
type>, <input objects>, <output objects>). It will also have functions that
will be called from the access control statements.

The current HiveAuthorizationProvider will continue to be supported for backward compatibility.


  was:
The existing HiveAuthorizationProvider interface implementations can be used to support custom
authorization models.
But this interface limits the customization for these reasons -
1. It has assumptions about the privileges required for an action.
2. It does have not functions that you can implement for having custom ways of doing the actions
of access control statements.

This jira proposes a new interface HiveBaseAuthorizationProvider that does not make assumptions
of the privileges required for the actions. The authorize() functions will be equivalent of
authorize(<hive object>, <action>). It will also have functions that will be called
from the access control statements.

The current HiveAuthorizationProvider will continue to be supported for backward compatibility.
There will be a subclass of HiveBaseAuthorizationProvider that executes actions using this
interface.



> Add a hive authorization plugin api that does not assume privileges needed
> --------------------------------------------------------------------------
>
>                 Key: HIVE-5928
>                 URL: https://issues.apache.org/jira/browse/HIVE-5928
>             Project: Hive
>          Issue Type: Sub-task
>          Components: Authorization
>            Reporter: Thejas M Nair
>            Assignee: Thejas M Nair
>         Attachments: HIVE-5928.1.patch, hive_auth_class_preview.txt
>
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> The existing HiveAuthorizationProvider interface implementations can be used to support
custom authorization models.
> But this interface limits the customization for these reasons -
> 1. It has assumptions about the privileges required for an action.
> 2. It does have not functions that you can implement for having custom ways of doing
the actions of access control statements.
> This jira proposes a new interface HiveAuthorizer that does not make assumptions of the
privileges required for the actions. The authorize() functions will be equivalent of authorize(<operation
type>, <input objects>, <output objects>). It will also have functions that
will be called from the access control statements.
> The current HiveAuthorizationProvider will continue to be supported for backward compatibility.




--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message