[ https://issues.apache.org/jira/browse/HIVE-3720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507831#comment-13507831 ]
Shreepadma Venugopalan commented on HIVE-3720: ---------------------------------------------- @Namit: The authorization model in this proposal mirrors that of MySQL as closely as possible. The proposal also documents wherever there is a deviation from MySQL's authorization model. Since Hive's data model is based on that of MySQL, it would make a lot of sense to base the authorization model on MySQL's as well. The proposed functionality is not necessarily a superset of the existing authorization functionality but subsumes some of the existing functionality. While the existing implementation supports authorization on some HiveQL operations, it doesn't secure all of the operations, provide a way to bootstrap the system etc. This proposal expands authorization to all HiveQL operations and direct metadata operations that can be performed by invoking the metastore Thrift API. As discussed earlier, since the proposed model standardizes the authorization model to mirror that of MySQL, it deviates from the existing model where ever the existing implementation deviates from the authorization model of MySQL or other RDBMSs. The proposed model is also more fine grained and supports hierarchical privileges much like an RDBMS. For instance, the proposed model supports CREATE, ALTER, DROP privileges on objects whereas the current model supports an ALTER_METADATA privilege that includes the privileges needed to perform CREATE, ALTER, DROP etc. Note that one of the goals is to propose an authorization model such that finer grained privileges can be added in as necessary later. Since the existing implementation is not complete, it unclear at this point what part of the functionality has been completely implemented. Perhaps we can mark the existing functionality in the wiki once we start implementing the proposed model. Thanks. > Expand and standardize authorization in Hive > -------------------------------------------- > > Key: HIVE-3720 > URL: https://issues.apache.org/jira/browse/HIVE-3720 > Project: Hive > Issue Type: Improvement > Components: Authorization > Affects Versions: 0.9.0 > Reporter: Shreepadma Venugopalan > Assignee: Shreepadma Venugopalan > Attachments: Hive_Authorization_Functionality.pdf > > > The existing implementation of authorization in Hive is not complete. > Additionally the existing implementation has security holes. This JIRA is an > umbrella JIRA for a) extending authorization to all SQL operations and > direct metadata operations, and b) standardizing the authorization model and > its semantics to mirror that of MySQL as closely as possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira