hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koert Kuipers <>
Subject Re: Hive thrift interface and user permissions / user auditing
Date Tue, 06 Sep 2011 16:09:12 GMT
The metastore is running as user "hive", and we are indeed running unsecured
Do i understand it correctly that in the thrift interface does provide a way
to communicate the identity but in unsecured mode it is not being used?
And does this mean that if i care about seeing the correct user execute the
query in the logs, i have to use secure hadoop (with Kerberos)?
Does secure mode suport hive JDBC?
Thanks! Koert

On Tue, Sep 6, 2011 at 11:47 AM, Ashutosh Chauhan <>wrote:

> Hey Koert,
> I am assuming 'thrift' is the name of user through which thrift metastore
> is running. I also assume you are running in unsecure mode. If you run with
> security turned on, meaning secure hadoop cluster with secure thrift server,
> you will see the name of the original user. This is so because in secure
> mode, metastore server  proxies the original user through doAs() which
> preserves the identity which is not the case in unsecure mode.
> Through hive client you see the usernames correctly even In unsecure mode
> because its a hive client process (which is run as koert) which does the
> filesystem operations.
> Hope it helps,
>  Ashutosh
> On Tue, Sep 6, 2011 at 08:22, Koert Kuipers <> wrote:
>> When i run a query from the hive command line client i can see that it is
>> being run as me (for example, in HDFS log i see INFO
>> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.audit: ugi=koert).
>> But when i do anything with the thrift interface my username is lost (i
>> see ugi=thrift in HDFS logs). Is there a way in the thrift interface to
>> communicate/preserve the username?
>> And if this is possible in thrift, then what about jdbc? i tried creating
>> a jdbc connection with username and password passed in but as far as i can
>> see it is ignored (ugi=thrift again in the HDFS logs).

View raw message