hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-7209) allow metastore authorization api calls to be restricted to certain invokers
Date Wed, 11 Jun 2014 23:55:02 GMT

    [ https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14028602#comment-14028602
] 

Thejas M Nair commented on HIVE-7209:
-------------------------------------

HIVE-7209.1.patch - Has changes to allow for multiple authorizers to be registered for metastore
authorization. 
Also includes a new authorizer org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly
that can be added to the hive.security.metastore.authorization.manager config parameter. It
will disallow any metastore api calls in remote metastore mode. If you use HS2 with embedded
metastore, the HS2 can make these api calls, as the authorizer disables the calls only in
remote mode.

This approach can be extended in followup work to allow the api calls to be made to remote
metastore by only certain users from certain machines.


> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-7209
>                 URL: https://issues.apache.org/jira/browse/HIVE-7209
>             Project: Hive
>          Issue Type: Bug
>          Components: Authentication, Metastore
>            Reporter: Thejas M Nair
>            Assignee: Thejas M Nair
>         Attachments: HIVE-7209.1.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that modify
the authorization policy. 
> The users who can make direct metastore api calls in a secure cluster configuration are
usually the 'cluster insiders' such as Pig and MR users, who are not (securely) covered by
the metastore based authorization policy. But it makes sense to disallow access from such
users as well.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message