hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maria <linanmengxia...@126.com>
Subject why need set hive.server2.enable.doAs=false in SQL-Standard Based Authorization
Date Thu, 18 Aug 2016 07:41:52 GMT

Hi,all:
  I have a few questions about hive authentication and authorization:

(1)why do we need to set hive.server2.enable.doAs=false in SQL-Standard Based Authorization
?

(2)when set hive.server2.enable.doAs=false in SQL-Standard Based Authorization,the beeline
way to connecte HS2, 
the queries are run as the service user id of HiverServer2, how to make it use the users who
is in current kerberos ticket cache?
(because if "hive.server2.enable.doAs=false" and hive uri is like this——"jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",
the kerberos ticket cache will not work.)

(3)Does hive 1.2.1 and later version still has grant/revoke BUG?——I found someone said
that user needs to imply administrator privilege according to implements AbstractSemanticAnalyzerHook,if
he want to let the administrator own the grant/revoke privilege only. But I also found a parameter
"hive.users.in.admin.role",does this param makes up this deficiency?

(4)Must I start up hive metastore service when SQL Standards Based Hive Authorization in conjunction
with storage based authorization?( https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization),and
if the two combined, “hive.server2.enable.doAs" set to false?

(5)Can someone please give me a tip on this class: BitSetCheckAuthorizationProvider? if I
can
set "hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.BitSetCheckAuthorizationProvider"?What
are the difference between BitSetCheckAuthorizationProvider and SQLStdHiveAuthorizerFactory?


I am confused by these questions for a long time. I am eager to get your guidance. 

Any reply will be much appreciated.
And thankyou again.



Mime
View raw message