jjiang037 commented on code in PR #6078:
URL: https://github.com/apache/hive/pull/6078#discussion_r2356583839
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -40,6 +42,17 @@ protected HiveMetaStoreAuthorizableEvent(PreEventContext
preEventContext) {
this.preEventContext = preEventContext;
}
+ protected HiveAuthzContext buildAuthzContext() {
+ HiveAuthzContext.Builder builder = new HiveAuthzContext.Builder();
+
+ Map<String, Object> clientConfig =
HiveMetaStoreAuthorizer.getClientConfig();
+ if (clientConfig != null) {
+ builder.setClientConfig(clientConfig);
Review Comment:
Good point about the other fields. The current implementation intentionally
focuses on adding clientConfig as the minimum necessary change for the
following reasons:
## Incremental Enhancement
This patch introduces the foundation for custom authorization contexts.
Other fields like ipAddress and additional metadata can be added in follow-up
patches as specific needs arise. This keeps the change focused and easier to
review.
## Context-Specific Fields
Not all authorization events need all fields. For example:
- `commandString` is already provided by each event subclass (like
`ReadDatabaseEvent.COMMAND_STR`)
- `ipAddress` may not be available in all HMS invocation paths
- Some fields might be better sourced from the `PreEventContext` when needed
## Current Requirements
The immediate need is to distinguish client types (REST catalog vs
traditional HMS clients) for authorization and audit purposes, which
clientConfig addresses. Other fields can be added when there are concrete
requirements for them.
If you feel strongly that these fields should be included now, I can extend
the implementation. However, I'd suggest we could also handle this as a
follow-up enhancement to keep this patch focused on the core functionality of
enabling customizable authorization contexts.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
