shiliquan opened a new issue #4446: URL: https://github.com/apache/incubator-dolphinscheduler/issues/4446
When Kerberos authentication is enabled and different tenants use the same sql task node to execute hsql statements, the DS calls the same DS component authentication ticket by default, if different tenants are using this sql to run HSQL, then there is no way to tell the difference. The users who submit tasks should be the ticket for the DS component. For example: I have two tenants, one of which has access to hive, a just need to use the basic shell running script, then for the DS basic note I am authorized or not authorized access to the HIVE, authorized to use the hive permission, yes, can be used, but if a user who doesn't have the rights to hive finds that he or she can still use the hsql feature of hive, he or she may not be able to control his or her risk. I think there's a loophole, don't you?  ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
