Re: Review Request 16847: Add a hive authorization plugin api that does not assume privileges needed

Thejas Nair Wed, 15 Jan 2014 14:59:43 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/16847/#review31929
-----------------------------------------------------------




ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DefaultHiveAuthorizerFactory.java
<https://reviews.apache.org/r/16847/#comment60687>

    removed the comment. Will create DefaultHiveAccessController and 
DefaultHiveAuthValidator classes as I implement the sql standard auth in other 
jiras.
    



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
<https://reviews.apache.org/r/16847/#comment60707>

    I will change it to catch the specific checked exceptions that getMsc() and 
Hive.get() throw.
    I don't want to expose MetaException and HiveException as public interface 
at this point.
    



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
<https://reviews.apache.org/r/16847/#comment60708>

    I will change it to catch the specific checked exceptions that getMsc() and 
Hive.get() throw.
    I don't want to expose MetaException and HiveException as public interface, 
that is why I don't throw them here.
    
    



ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
<https://reviews.apache.org/r/16847/#comment60710>

    that check is being done and an exception is being thrown -  
RunTimeException (now AssertTionError)


- Thejas Nair


On Jan. 14, 2014, 3:51 a.m., Thejas Nair wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/16847/
> -----------------------------------------------------------
> 
> (Updated Jan. 14, 2014, 3:51 a.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan and Brock Noland.
> 
> 
> Bugs: HIVE-5928
>     https://issues.apache.org/jira/browse/HIVE-5928
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> The existing HiveAuthorizationProvider interface implementations can be used 
> to support custom authorization models.
> But this interface limits the customization for these reasons -
> 1. It has assumptions about the privileges required for an action.
> 2. It does have not functions that you can implement for having custom ways 
> of doing the actions of access control statements.
> 
> This jira proposes a new interface HiveAuthorizer that does not make 
> assumptions of the privileges required for the actions. The authorize() 
> functions will be equivalent of authorize(<operation type>, <input objects>, 
> <output objects>). It will also have functions that will be called from the 
> access control statements.
> 
> The current HiveAuthorizationProvider will continue to be supported for 
> backward compatibility. 
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/Driver.java 72c04d3 
>   ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java b36a4ca 
>   ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java dc45ea2 
>   ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java 143c0a6 
>   ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java 52d7c75 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DefaultHiveAuthorizerFactory.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
>  PRE-CREATION 
>   
> ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
>  PRE-CREATION 
>   ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java ef35f1a 
>   
> ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveOperationType.java
>  PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/16847/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Thejas Nair
> 
>

Re: Review Request 16847: Add a hive authorization plugin api that does not assume privileges needed

Reply via email to