[jira] [Updated] (HCATALOG-245) StorageHandler authorization providers

Thu, 02 Feb 2012 22:02:42 -0800 

     [ 
https://issues.apache.org/jira/browse/HCATALOG-245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Enis Soztutar updated HCATALOG-245:
-----------------------------------

    Attachment: hcat-auth_v1.patch

Attaching initial version of the patch to add storage handler specific 
authorization provider support as discussed in the parent issue. 

Some of the patch notes: 
 - Added a DelegationAuthorizationProvider which delegates to either HDFS 
authorizationprovider or the storage specific one. 
 - HDFSAuthorization provider checks for access level for the given path as 
discussed in 
https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design. 
Simply, if you want to alter/create an object at a specific location, you have 
to have read/write access to that location. This just extends what is already 
enforced by AuthUtils.  
 - the authorization provider is invoked from the semantic analyzer, but uses 
the already parsed statement definitions from Hive. Hive invokes the auth 
provider from Driver.doAuthorization(). However, most of the privileges in 
HiveOperation are not sufficient, and the fact that dbs, tables and partitions 
can specify custom locations means that we cannot use pure Hive's enforcement 
of auth provider implementation. 
 - This patch does not yet include the auth provider for secure HBase. I'll do 
that in the next version. In the meantime, reviews for design are more than 
welcome. 
 - The patch includes extensive unit tests, mostly in CLI, so the expected 
behavior can be understood from the unit test. 
                
> StorageHandler authorization providers 
> ---------------------------------------
>
>                 Key: HCATALOG-245
>                 URL: https://issues.apache.org/jira/browse/HCATALOG-245
>             Project: HCatalog
>          Issue Type: Sub-task
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>         Attachments: hcat-auth_v1.patch
>
>
> As per the design in the parent issue, we will delegate the authorization 
> checks to the storage handler (hdfs is considered as a storage handler as 
> well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to