lirui-apache commented on pull request #16745: URL: https://github.com/apache/flink/pull/16745#issuecomment-900769304
> > Could you post links to the authentication design you mentioned? I tried with hive 2.3.6 and found this is actually allowed. For example, in a kerberized env, you can kinit as `user1` but run Hive CLI as `user2`. And choose `SessionStateConfigUserAuthenticator` as the authentication provider. Then you can create tables whose owner is `user2`. Besides, Hive 3.x supports [altering table owner](https://issues.apache.org/jira/browse/HIVE-18762), so I doubt Hive requires table owner to be the same as the UGI creating the table in a secure cluster. > > i dont have link. According to development experience, in a security cluster, the authorized user must be the same as the authenticated user or proxy user, and the authenticated user cannot be changed. Therefore, in a security cluster, authorized users cannot be specified. > ok, i have updated the PR Firstly, I don't think there's such a thing as "authorized user". User identity is solely determined by authentication, and authorization is to determine what the user can access. Secondly, the question here is not about whether we should do authorization with the authenticated user, it's about whether we should require the table owner to be the same as the authenticated user creating that table. If Hive itself doesn't enforce such requirement, we shouldn't do it in Flink. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
