hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-12688) HIVE-11826 makes hive unusable in properly secured cluster
Date Wed, 16 Dec 2015 19:14:46 GMT

    [ https://issues.apache.org/jira/browse/HIVE-12688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15060580#comment-15060580
] 

Thejas M Nair commented on HIVE-12688:
--------------------------------------

[~sershe] I was thinking it is better to keep the release clear of blockers to avoid issues.
But we can give couple of days for a better fix if you are OK with that (as the release manager
for 2.0.0).
It depends on cycles someone has to provide to fix the feature to prevent this regression.
If we make the change to roll back this feature, there is not too much pressure on anyone
working on this. 
[~aihuaxu] What do you prefer ? Would you have cycles to fix the regression soon ? Or would
you prefer adding this feature back again after this patch to roll it out (it gives you more
time that way)?




> HIVE-11826 makes hive unusable in properly secured cluster
> ----------------------------------------------------------
>
>                 Key: HIVE-12688
>                 URL: https://issues.apache.org/jira/browse/HIVE-12688
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 1.3.0, 2.0.0
>            Reporter: Thejas M Nair
>            Assignee: Thejas M Nair
>            Priority: Blocker
>         Attachments: HIVE-12688.1.patch
>
>
> HIVE-11826 makes a change to restrict connections to metastore to users who belong to
groups under 'hadoop.proxyuser.hive.groups'.
> That property was only a meant to be a hadoop property, which controls what users the
hive user can impersonate. What this change is doing is to enable use of that to also restrict
who can connect to metastore server. This is new functionality, not a bug fix. There is value
to this functionality.
> However, this change makes hive unusable in a properly secured cluster. If 'hadoop.proxyuser.hive.hosts'
is set to the proper set of hosts that run Metastore and Hiveserver2 (instead of a very open
"*"), then users will be able to connect to metastore only from those hosts.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message