[
https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14028602#comment-14028602
]
Thejas M Nair commented on HIVE-7209:
-------------------------------------
HIVE-7209.1.patch - Has changes to allow for multiple authorizers to be
registered for metastore authorization.
Also includes a new authorizer
org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly
that can be added to the hive.security.metastore.authorization.manager config
parameter. It will disallow any metastore api calls in remote metastore mode.
If you use HS2 with embedded metastore, the HS2 can make these api calls, as
the authorizer disables the calls only in remote mode.
This approach can be extended in followup work to allow the api calls to be
made to remote metastore by only certain users from certain machines.
> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
> Key: HIVE-7209
> URL: https://issues.apache.org/jira/browse/HIVE-7209
> Project: Hive
> Issue Type: Bug
> Components: Authentication, Metastore
> Reporter: Thejas M Nair
> Assignee: Thejas M Nair
> Attachments: HIVE-7209.1.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that
> modify the authorization policy.
> The users who can make direct metastore api calls in a secure cluster
> configuration are usually the 'cluster insiders' such as Pig and MR users,
> who are not (securely) covered by the metastore based authorization policy.
> But it makes sense to disallow access from such users as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
