[
https://issues.apache.org/jira/browse/HIVE-3720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507831#comment-13507831
]
Shreepadma Venugopalan commented on HIVE-3720:
----------------------------------------------
@Namit: The authorization model in this proposal mirrors that of MySQL as
closely as possible. The proposal also documents wherever there is a deviation
from MySQL's authorization model. Since Hive's data model is based on that of
MySQL, it would make a lot of sense to base the authorization model on MySQL's
as well. The proposed functionality is not necessarily a superset of the
existing authorization functionality but subsumes some of the existing
functionality. While the existing implementation supports authorization on some
HiveQL operations, it doesn't secure all of the operations, provide a way to
bootstrap the system etc. This proposal expands authorization to all HiveQL
operations and direct metadata operations that can be performed by invoking the
metastore Thrift API.
As discussed earlier, since the proposed model standardizes the authorization
model to mirror that of MySQL, it deviates from the existing model where ever
the existing implementation deviates from the authorization model of MySQL or
other RDBMSs. The proposed model is also more fine grained and supports
hierarchical privileges much like an RDBMS. For instance, the proposed model
supports CREATE, ALTER, DROP privileges on objects whereas the current model
supports an ALTER_METADATA privilege that includes the privileges needed to
perform CREATE, ALTER, DROP etc. Note that one of the goals is to propose an
authorization model such that finer grained privileges can be added in as
necessary later.
Since the existing implementation is not complete, it unclear at this point
what part of the functionality has been completely implemented. Perhaps we can
mark the existing functionality in the wiki once we start implementing the
proposed model. Thanks.
> Expand and standardize authorization in Hive
> --------------------------------------------
>
> Key: HIVE-3720
> URL: https://issues.apache.org/jira/browse/HIVE-3720
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
> Affects Versions: 0.9.0
> Reporter: Shreepadma Venugopalan
> Assignee: Shreepadma Venugopalan
> Attachments: Hive_Authorization_Functionality.pdf
>
>
> The existing implementation of authorization in Hive is not complete.
> Additionally the existing implementation has security holes. This JIRA is an
> umbrella JIRA for a) extending authorization to all SQL operations and
> direct metadata operations, and b) standardizing the authorization model and
> its semantics to mirror that of MySQL as closely as possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
