[
https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thejas M Nair updated HIVE-7209:
--------------------------------
Release Note:
With this change hive.security.metastore.authorization.manager configuration
parameter allows you to specify more than one authorization manager class
(comma separated).
This patch introduces a new authorization manager for use under this
configuration -
org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly.
It will disallow any of the authorization api calls to be invoked in a remote
metastore.
HiveServer2 can be configured to use embedded metastore, and that will allow it
to invoke metastore authorization api. Hive cli and any other remote metastore
users would be denied authorization when they try to make authorization api
calls. This allows restricting the authorization api use to privileged
HiveServer2 process.
> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
> Key: HIVE-7209
> URL: https://issues.apache.org/jira/browse/HIVE-7209
> Project: Hive
> Issue Type: Bug
> Components: Authentication, Metastore
> Reporter: Thejas M Nair
> Assignee: Thejas M Nair
> Labels: TODOC14
> Attachments: HIVE-7209.1.patch, HIVE-7209.2.patch, HIVE-7209.3.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that
> modify the authorization policy.
> The users who can make direct metastore api calls in a secure cluster
> configuration are usually the 'cluster insiders' such as Pig and MR users,
> who are not (securely) covered by the metastore based authorization policy.
> But it makes sense to disallow access from such users as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
