[
https://issues.apache.org/jira/browse/HIVE-78?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12652252#action_12652252
]
Ashish Thusoo commented on HIVE-78:
-----------------------------------
The roles are actually per object. I would say that these are atleast per
table, if not per partition. I don't have a use case for the later but
seperation on the basis of table is actually very very desirable.
Given that, and the fact that currently we have around 5000 tables in our
warehouse, do you have some idea of how realms with scale with such a large
number of objects.
I agree that a generic recursive role infrastructure does not have a lot of
utility, but considering that we have so many permissions, I would think that
it would be quite cumbersome for an administrator to enumerate all of them for
every user that is created (though some good defaults can surely alleviate some
of the concerns here). So I think being able to package permissions into some
higher level roles would help. Note that we do not need a generic role within a
role, but it would be nice to have a role be a set of permissions on certain
objects and an ability to allow authorization framework to be able to associate
a role or permission with a user.
The other way to do this is to define groups which can be assigned a set of
permissions and a set of users. That level of indirection would also work in
reducing the number of user to permission assignments that we would have to
make otherwise.
I agree that authentication and authorization (much of what I have been talking
about in this comment), need to be separated out and while we use the
directory infrastructure for authentication, we should store the authorization
information in the metastore as that is specific to our application and no sane
directory administrator would allow us to touch the directory to support custom
attributes.
If we do that separation, then Realms perhaps can take care of just the
authentication portion, and once the user is authenticated, the authorization
infrastructure looks up the user by ID in metastore to figure out what
capabilities the user has.
Is that what you have in mind?
In this scenario, I presume that we would have a realm for AD and just have all
the users authenticate with that realm. So the number of realms would be a
function of the number of directories or user repositories as opposed to being
a function of the number of objects.
> Authentication infrastructure for Hive
> --------------------------------------
>
> Key: HIVE-78
> URL: https://issues.apache.org/jira/browse/HIVE-78
> Project: Hadoop Hive
> Issue Type: New Feature
> Components: Server Infrastructure
> Reporter: Ashish Thusoo
> Assignee: Edward Capriolo
>
> Allow hive to integrate with existing user repositories for authentication
> and authorization infromation.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
