[ https://issues.apache.org/jira/browse/HIVE-4442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13757061#comment-13757061 ]
Eugene Koifman commented on HIVE-4442: -------------------------------------- The point is that UgiFactory creates a proxy user with proper credentials, while UserGroupInformation.createRemoteUser() works in "simple" security mode... Generally, in WebHCat a param "user" is determined by Server#getDoAsUser(). If doAs is specified, the user=doAs, otherwise it's the user making the call. In the HIVE-4442.3.patch StatusDelegator uses UgiFactory to get UserGroupInformation but the other 2 use UserGroupInformation.createRemoteUser(). So from a security point of view I think Delete/List/StatusDelegator should all use UgiFactory with "user" as argument. UserGroupInformation.getLoginUser() will return the user running WebHCat ("hcat" by default). > [HCatalog] WebHCat should not override user.name parameter for Queue call > ------------------------------------------------------------------------- > > Key: HIVE-4442 > URL: https://issues.apache.org/jira/browse/HIVE-4442 > Project: Hive > Issue Type: Bug > Components: HCatalog > Reporter: Daniel Dai > Attachments: HIVE-4442-1.patch, HIVE-4442-2.patch, HIVE-4442-3.patch > > > Currently templeton for the Queue call uses the user.name to filter the > results of the call in addition to the default security. > Ideally the filter is an optional parameter to the call independent of the > security check. > I would suggest a parameter in addition to GET queue (jobs) give you all the > jobs a user have permission: > GET queue?showall=true -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira