lirui-apache commented on pull request #16745: URL: https://github.com/apache/flink/pull/16745#issuecomment-895854266
> because authentication and authorization are different, and in non-secure cluster, the authentication is deabled, and the authorization may be enabled But the problem is `HiveCatalog` (or the underlying metastore client) still uses UGI to make connection to HMS. If authorization is a concern, wouldn't that trigger the issue first before you can create any tables? Even if the connection can be made, authorization check still relies on UGI. For example, in storage based authorization, HMS checks FS permission with client UGI. BTW, `HiveCatalog` instance won't be used on TMs. If you use sql-client, it's only used on client node. If you submit program in application mode, it's used on JM. And current UGI in non-secure env is usually the user running the process, not the hostname of the machine. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
