[
https://issues.apache.org/jira/browse/HIVE-3807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13555209#comment-13555209
]
Kai Zheng commented on HIVE-3807:
---------------------------------
Ashutosh do you mean the workaround to grant privileges to such users again
with short names should be done by Hive admins? Or we need to write code to do
it automatically or just have scripts for Hive admins to patch? Another option
would be to change the ObjectStore so that principal name can be checked as
user_principal_name == principal_name_value_in_table (in short name case) or
user_principal_name like principal_name_value_in_table + '@' (in Kerberos full
name case, such as [email protected]).
Which way would you prefer? Thanks.
> Hive authorization should use short username when Kerberos authentication
> -------------------------------------------------------------------------
>
> Key: HIVE-3807
> URL: https://issues.apache.org/jira/browse/HIVE-3807
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
> Affects Versions: 0.9.0, 0.10.0
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Attachments: HIVE-3807.patch
>
>
> Currently when authentication method is Kerberos,Hive authorization uses user
> full name as privilege principal, for example, it uses [email protected]
> instead of john.
> It should use the short name instead. The benefits:
> 1. Be consistent. Hadoop, HBase and etc they all use short name in related
> ACLs or authorizations. For Hive authorization works well with them, this
> should be.
> 2. Be convenient. It's very inconvenient to use the lengthy Kerberos
> principal name when grant or revoke privileges via Hive CLI.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
