[
https://issues.apache.org/jira/browse/HCATALOG-245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202752#comment-13202752
]
[email protected] commented on HCATALOG-245:
--------------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/3778/
-----------------------------------------------------------
Review request for Ashutosh Chauhan, Sushanth Sowmyan and enis.
Summary
-------
Attaching initial version of the patch to add storage handler specific
authorization provider support as discussed in the parent issue.
Some of the patch notes:
Added a DelegationAuthorizationProvider which delegates to either HDFS
authorizationprovider or the storage specific one.
HDFSAuthorization provider checks for access level for the given path as
discussed in
https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design.
Simply, if you want to alter/create an object at a specific location, you have
to have read/write access to that location. This just extends what is already
enforced by AuthUtils.
the authorization provider is invoked from the semantic analyzer, but uses the
already parsed statement definitions from Hive. Hive invokes the auth provider
from Driver.doAuthorization(). However, most of the privileges in HiveOperation
are not sufficient, and the fact that dbs, tables and partitions can specify
custom locations means that we cannot use pure Hive's enforcement of auth
provider implementation.
This patch does not yet include the auth provider for secure HBase. I'll do
that in the next version. In the meantime, reviews for design are more than
welcome.
The patch includes extensive unit tests, mostly in CLI, so the expected
behavior can be understood from the unit test.
This addresses bug HCATALOG-245.
https://issues.apache.org/jira/browse/HCATALOG-245
Diffs
-----
trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
1241601
trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java
1241601
trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java
PRE-CREATION
trunk/src/java/org/apache/hcatalog/common/AuthUtils.java 1241601
trunk/src/java/org/apache/hcatalog/security/DelegationAuthorizationProvider.java
PRE-CREATION
trunk/src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java
PRE-CREATION
trunk/src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java
PRE-CREATION
Diff: https://reviews.apache.org/r/3778/diff
Testing
-------
Thanks,
Alan
> StorageHandler authorization providers
> ---------------------------------------
>
> Key: HCATALOG-245
> URL: https://issues.apache.org/jira/browse/HCATALOG-245
> Project: HCatalog
> Issue Type: Sub-task
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
> Attachments: hcat-auth_v1.patch
>
>
> As per the design in the parent issue, we will delegate the authorization
> checks to the storage handler (hdfs is considered as a storage handler as
> well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
