[jira] [Commented] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Thejas M Nair (JIRA) Mon, 15 Sep 2014 15:14:34 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14134579#comment-14134579
 ]


Thejas M Nair commented on HIVE-8045:
-------------------------------------

bq. 1 Even if hive.security.authorization.enabled=false, authorization checks 
were happening for non sql statements as add/detete/dfs/compile, which results 
in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.

CommandUtil. authorizeCommand(..) has been fixed to consider the value of 
hive.security.authorization.enabled . Added  new test case -
authorization_cli_nonsql.q

bq. 2 Create table from hive-cli ended up calling metastore server api call 
(getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an 
error.

Removed the getRoles call from authorization from  SQLStdHiveAccessController 
constructor. It is already explicitly initialized before roles are used from 
other methods. Added test authorization_cli_createtab_noauthzapi.q to verify 
that no authorization api calls are being made for create table commands.

bq. 3 Some users prefer to enable authorization using hive-site.xml for 
hive-server2 (hive.security.authorization.enabled param). If this file is 
shared by hive-cli and hive-server2, SQL std authorizer throws an error because 
its use in hive-cli is not allowed.
Created SQLStdConfOnlyAuthorizerFactory that can be set in hive-cli, its 
authorization checkprivileges calls are no-op calls. The sql standard 
authorizer can be set for hiveserver2 using commandline or hiveserver2-site.xml 
. 




> SQL standard auth with cli - Errors and configuration issues
> ------------------------------------------------------------
>
>                 Key: HIVE-8045
>                 URL: https://issues.apache.org/jira/browse/HIVE-8045
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Jagruti Varia
>            Assignee: Thejas M Nair
>
> HIVE-7533 enabled sql std authorization to be set in hive cli (without 
> enabling authorization checks). This updates hive configuration so that 
> create-table and create-views set permissions appropriately for the owner of 
> the table.
> HIVE-7209 added a metastore authorization provider that can be used to 
> restricts calls made to the authorization api, so that only HS2 can make 
> those calls (when HS2 uses embedded metastore).
> Some issues were found with this.
> # Even if hive.security.authorization.enabled=false, authorization checks 
> were happening for non sql statements as add/detete/dfs/compile, which 
> results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Create table from hive-cli ended up calling metastore server api call 
> (getRoles) and resulted in  MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an 
> error.
> # Some users prefer to enable authorization using hive-site.xml for 
> hive-server2 (hive.security.authorization.enabled param). If this file is 
> shared by hive-cli and hive-server2,  SQL std authorizer throws an error 
> because is use in hive-cli is not allowed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Reply via email to