[
https://issues.apache.org/jira/browse/HIVE-4442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13757061#comment-13757061
]
Eugene Koifman commented on HIVE-4442:
--------------------------------------
The point is that UgiFactory creates a proxy user with proper credentials,
while UserGroupInformation.createRemoteUser() works in "simple" security mode...
Generally, in WebHCat a param "user" is determined by Server#getDoAsUser().
If doAs is specified, the user=doAs, otherwise it's the user making the call.
In the HIVE-4442.3.patch StatusDelegator uses UgiFactory to get
UserGroupInformation but the other 2 use
UserGroupInformation.createRemoteUser().
So from a security point of view I think Delete/List/StatusDelegator should all
use UgiFactory with "user" as argument.
UserGroupInformation.getLoginUser() will return the user running WebHCat
("hcat" by default).
> [HCatalog] WebHCat should not override user.name parameter for Queue call
> -------------------------------------------------------------------------
>
> Key: HIVE-4442
> URL: https://issues.apache.org/jira/browse/HIVE-4442
> Project: Hive
> Issue Type: Bug
> Components: HCatalog
> Reporter: Daniel Dai
> Attachments: HIVE-4442-1.patch, HIVE-4442-2.patch, HIVE-4442-3.patch
>
>
> Currently templeton for the Queue call uses the user.name to filter the
> results of the call in addition to the default security.
> Ideally the filter is an optional parameter to the call independent of the
> security check.
> I would suggest a parameter in addition to GET queue (jobs) give you all the
> jobs a user have permission:
> GET queue?showall=true
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
