[
https://issues.apache.org/jira/browse/HIVE-3807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13776800#comment-13776800
]
Sushanth Sowmyan commented on HIVE-3807:
----------------------------------------
Ashutosh, while it's true that this could potentially have been an incompatible
change, it is a correct one. If people were granting privileges to fully
qualified kerberos names rather than the user names that the default
authorization was designed for, that's incorrect usage caused by this bug.
It might be worthwhile calling this out as an incompatible change and asking
upgraders that use grants/revokes with kerberos (hopefully not many) to regrant.
I'm not happy with the idea of having code in ObjectStore that is aware of
different forms of authorization names - that should belong in the
AuthenticationProvider and not leak out.
> Hive authorization should use short username when Kerberos authentication
> -------------------------------------------------------------------------
>
> Key: HIVE-3807
> URL: https://issues.apache.org/jira/browse/HIVE-3807
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
> Affects Versions: 0.9.0, 0.10.0
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Attachments: HIVE-3807.patch
>
>
> Currently when authentication method is Kerberos,Hive authorization uses user
> full name as privilege principal, for example, it uses j...@example.com
> instead of john.
> It should use the short name instead. The benefits:
> 1. Be consistent. Hadoop, HBase and etc they all use short name in related
> ACLs or authorizations. For Hive authorization works well with them, this
> should be.
> 2. Be convenient. It's very inconvenient to use the lengthy Kerberos
> principal name when grant or revoke privileges via Hive CLI.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
