[
https://issues.apache.org/jira/browse/HCATALOG-245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202826#comment-13202826
]
Enis Soztutar commented on HCATALOG-245:
----------------------------------------
There are a couple of things missing in Hive's auth.
- The auth calls for CREATE operations are not called with the target object.
For example, CREATE TABLE calls authorize(db,..), but not (table, ...). This
prevents the location checks to be done on the table.
- ALTER TABlE or PARTITION statements for changing the table's location does
not very well fit into the interface. In the patch, for alter table location
statements, we check for write access for both the old table location and new
table location.
- Database operations are not associated with required privileges in
HiveOperation. This means Hive itself does not check any authorization for db
operations.
Having said that, these can be fixed in Hive, but it will take some time, since
the changes should also not effect the current Hive's auth implementation. I
would suggest going with this patch, and opening another one for backporting
the Delegation,hdfs and HBase auth provides to Hive. WDYT?
> StorageHandler authorization providers
> ---------------------------------------
>
> Key: HCATALOG-245
> URL: https://issues.apache.org/jira/browse/HCATALOG-245
> Project: HCatalog
> Issue Type: Sub-task
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
> Attachments: hcat-auth_v1.patch
>
>
> As per the design in the parent issue, we will delegate the authorization
> checks to the storage handler (hdfs is considered as a storage handler as
> well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
