[
https://issues.apache.org/jira/browse/HIVE-7209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052006#comment-14052006
]
Lefty Leverenz commented on HIVE-7209:
--------------------------------------
For the record: The patch changes the description of
*hive.security.metastore.authorization.manager* in hive-default.xml.template
(see the release note for new functionality).
I added a comment to HIVE-6586 so it won't get lost in the shuffle when
HIVE-6037 changes HiveConf.java.
> allow metastore authorization api calls to be restricted to certain invokers
> ----------------------------------------------------------------------------
>
> Key: HIVE-7209
> URL: https://issues.apache.org/jira/browse/HIVE-7209
> Project: Hive
> Issue Type: Bug
> Components: Authentication, Metastore
> Reporter: Thejas M Nair
> Assignee: Thejas M Nair
> Labels: TODOC14
> Fix For: 0.14.0
>
> Attachments: HIVE-7209.1.patch, HIVE-7209.2.patch, HIVE-7209.3.patch,
> HIVE-7209.4.patch
>
>
> Any user who has direct access to metastore can make metastore api calls that
> modify the authorization policy.
> The users who can make direct metastore api calls in a secure cluster
> configuration are usually the 'cluster insiders' such as Pig and MR users,
> who are not (securely) covered by the metastore based authorization policy.
> But it makes sense to disallow access from such users as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
