hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mithun Radhakrishnan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-9681) Extend HiveAuthorizationProvider to support partition-sets.
Date Fri, 20 Feb 2015 02:37:13 GMT

     [ https://issues.apache.org/jira/browse/HIVE-9681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mithun Radhakrishnan updated HIVE-9681:
---------------------------------------
    Attachment: HIVE-9681.1.patch

Here's a proposal.

> Extend HiveAuthorizationProvider to support partition-sets.
> -----------------------------------------------------------
>
>                 Key: HIVE-9681
>                 URL: https://issues.apache.org/jira/browse/HIVE-9681
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 0.14.0
>            Reporter: Mithun Radhakrishnan
>            Assignee: Mithun Radhakrishnan
>         Attachments: HIVE-9681.1.patch
>
>
> {{HiveAuthorizationProvider}} allows only for the authorization of a single partition
at a time. For instance, when the {{StorageBasedAuthProvider}} must authorize an operation
on a set of partitions (say from a PreDropPartitionEvent), each partition's data-directory
needs to be checked individually. For N partitions, this results in N namenode calls.
> I'd like to add {{authorize()}} overloads that accept multiple partitions. This will
allow StorageBasedAuthProvider to make batched namenode calls. 
> P.S. There's 2 further optimizations that are possible:
> 1. In the ideal case, we'd have a single call in {{org.apache.hadoop.fs.FileSystem}}
to check access for an array of Paths, something like:
> {code:title=FileSystem.java|borderStyle=solid}
> @InterfaceAudience.LimitedPrivate({"HDFS", "Hive"})
>   public void access(Path [] paths, FsAction mode) throws AccessControlException, FileNotFoundException,
IOException 
> {...}
> {code}
> 2. We can go one better if we could retrieve partition-locations in DirectSQL and use
those for authorization. The EventListener-abstraction behind which the AuthProviders operate
make this difficult. I can attempt to solve this using a PartitionSpec and a call-back into
the ObjectStore from StorageBasedAuthProvider. I'll save this rigmarole for later.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message