[
https://issues.apache.org/jira/browse/HIVE-20457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591838#comment-16591838
]
Thejas M Nair commented on HIVE-20457:
--------------------------------------
When either sql standard authorization or ranger authorization is enabled, it
automatically limits the configuration changes to configs in a whitelist. The
config that is used for this can also be configured using [whitelist
configuration|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.security.authorization.sqlstd.confwhitelist]
There is also
[hive.conf.restricted.list|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.conf.restricted.list]
config parameter.
There is also another authorizer that does limited checks which includes
whitelist auto-setup, which is in the works. This one would work well with
storage based authorization.
> Create authorization mechanism for granting/revoking privileges to change
> Hive properties
> -----------------------------------------------------------------------------------------
>
> Key: HIVE-20457
> URL: https://issues.apache.org/jira/browse/HIVE-20457
> Project: Hive
> Issue Type: Improvement
> Components: Security
> Reporter: Oleksiy Sayankin
> Assignee: Oleksiy Sayankin
> Priority: Critical
> Labels: authorization
>
> At the moment any user in Hive can change any property of Hive. So he can set
> {{hive.exec.pre.hooks}} to hook that implements dangerous code. It would be
> nice to create roles and assign list of properties that particular role is
> able to modify. For example, {{admin}} role has permissions to change any
> property, and {{hive_client}} can change only {{hive.txn.timeout}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
