hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sushanth Sowmyan (JIRA)" <>
Subject [jira] [Commented] (HIVE-12429) Switch default Hive authorization to SQLStandardAuth in 2.0
Date Tue, 12 Jan 2016 20:46:40 GMT


Sushanth Sowmyan commented on HIVE-12429:

Hi Daniel,

The change looks mostly good. I have one concern though :

 final class HCatAuthUtil {
   public static boolean isAuthorizationEnabled(Configuration conf) {
@@ -31,6 +31,7 @@ public static boolean isAuthorizationEnabled(Configuration conf) {
     // additional checks if a V2 authorizer is in use. The reccomended configuration is to
     // use storage based authorization in metastore server
     return HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)
-        && SessionState.get().getAuthorizer() != null;
+        && HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)
+        == StorageBasedAuthorizationProvider.class.getName();

Basically, the implication seems to be that if a user sets an authorization apart from SBAP,
HCat will then read this as "authorization is not enabled", and proceed without doing any
authorization. I think that's a bit dangerous, in that a user might think that authorization
is happening, but in the background, we ignore that setting. I think it would be better to
do something like throwing the equivalent of an UnsupportedOperationException (in a HCatException
if need be) if a user specifies some other auth.

Also, while we're disabling the old Hive Auth, and we know that v2 auths are not supported
here, there might be a possibility that users may have their own custom authorization provider
that they're using that would be compatible. It might make sense, in that case, to still allow
that use. So, I would say that another possible interpretation would be to do the following:

a) return false if an authorizer is not configured - i.e. if HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED
is false.
b) If HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED is true, then:
      i) return true if SBAP is used.
      ii) if a certain other (new) config flag is used that signals explicit intent by user
to use non-SBAP authorization, return true.
      iii) throw exception.

If this seems overly complex and unnecessary, then let's leave out the (ii) part, and simply
throw an exception if an authorizer is configured, but it's not SBAP - but we do that with
the understanding that we're basically stating that third party auth will not work with HCat,
even if it's a SBAP-equivalent.


> Switch default Hive authorization to SQLStandardAuth in 2.0
> -----------------------------------------------------------
>                 Key: HIVE-12429
>                 URL:
>             Project: Hive
>          Issue Type: Task
>          Components: Authorization, Security
>    Affects Versions: 2.0.0
>            Reporter: Alan Gates
>            Assignee: Daniel Dai
>         Attachments: HIVE-12429.1.patch, HIVE-12429.10.patch, HIVE-12429.11.patch, HIVE-12429.12.patch,
HIVE-12429.13.patch, HIVE-12429.14.patch, HIVE-12429.15.patch, HIVE-12429.16.patch, HIVE-12429.2.patch,
HIVE-12429.3.patch, HIVE-12429.4.patch, HIVE-12429.5.patch, HIVE-12429.6.patch, HIVE-12429.7.patch,
HIVE-12429.8.patch, HIVE-12429.9.patch
> Hive's default authorization is not real security, as it does not secure a number of
features and anyone can grant access to any object to any user.  We should switch the default
to SQLStandardAuth, which provides real authentication.
> As this is a backwards incompatible change this was hard to do previously, but 2.0 gives
us a place to do this type of change.
> By default authorization will still be off, as there are a few other things to set when
turning on authorization (such as the list of admin users).

This message was sent by Atlassian JIRA

View raw message