[ 
https://issues.apache.org/jira/browse/HIVE-3705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Phabricator updated HIVE-3705:
------------------------------

    Attachment: HIVE-3705.D6681.1.patch

khorgath requested code review of "HIVE-3705 [jira] Adding authorization 
capability to the metastore".
Reviewers: JIRA

  HIVE-3705 Enabling authorization from the metastore:

  New HiveConf parameters:

        hive.security.metastore.authorization.enabled : true/false determining 
whether or not to do authorization in the metastore
        hive.security.metastore.authorization.manager : The class to load to do 
metastore-side authorization
        hive.security.metastore.authenticator.manager : The class to load to do 
metastore-side authentication

  If the first parameter isn't set, default behaviour of hive in both 
client-mode and metastore-mode is not affected, and this is disabled by default.

  New Interface :

        
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
 :
                an extension of HiveAuthorizationProvider, except with one more 
function that allows the metastore to pass a HMSHandler to it

  Modifications of existing classes :

        Minor modifications :
                ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java :
                        added ability to instantiate 
HiveAuth{orization,entication}Providers given HiveConf key to use
                ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java 
:
                        changed to account for above

        Major modifications :
                
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
 :
                        refactored to introduce a new HiveProxy that can proxy 
for either a hive object or a HMSHandler to perform necessary metadata 
operations
                
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
 :
                        refactored most of the functionality into a new class : 
BitSetCheckedAuthorizationProvider, which in turn is extended trivially by
                        DefaultHiveAuthorizationProvider and 
DefaultHiveMetastoreAuthorizationProvider which implement small glue 
functionality to make them
                        work from the hive client side and from the hive 
metastore respectively.

  New Classes :

        
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
 :
                As discussed above.
        
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
 :
                As discussed above.
        
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
 :
                An implementation of the Hive Metastore PreEventListener 
interface that kicks off the metastore-side authorization

TEST PLAN
  Following testcases added :
        
ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
        
ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
        
ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java

  In an environment where multiple clients access a single metastore, and we 
want to evolve hive security to a point where it's no longer simply preventing 
users from shooting their own foot, we need to be able to authorize metastore 
calls as well, instead of simply performing every metastore api call that's 
made.

REVISION DETAIL
  https://reviews.facebook.net/D6681

AFFECTED FILES
  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
  conf/hive-default.xml.template
  ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
  
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
  ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
  
ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
  
ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
  
ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java

MANAGE HERALD DIFFERENTIAL RULES
  https://reviews.facebook.net/herald/view/differential/

WHY DID I GET THIS EMAIL?
  https://reviews.facebook.net/herald/transcript/15915/

To: JIRA, khorgath

                
> Adding authorization capability to the metastore
> ------------------------------------------------
>
>                 Key: HIVE-3705
>                 URL: https://issues.apache.org/jira/browse/HIVE-3705
>             Project: Hive
>          Issue Type: New Feature
>          Components: Authorization, Metastore
>            Reporter: Sushanth Sowmyan
>         Attachments: HIVE-3705.D6681.1.patch, hivesec_investigation.pdf
>
>
> In an environment where multiple clients access a single metastore, and we 
> want to evolve hive security to a point where it's no longer simply 
> preventing users from shooting their own foot, we need to be able to 
> authorize metastore calls as well, instead of simply performing every 
> metastore api call that's made.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to