[jira] [Updated] (HIVE-25444) Make tables based on storage handlers authorization (HIVE-24705) configurable.

Wed, 11 Aug 2021 13:44:16 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-25444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HIVE-25444:
----------------------------------
    Labels: pull-request-available  (was: )

> Make tables based on storage handlers authorization (HIVE-24705) configurable.
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-25444
>                 URL: https://issues.apache.org/jira/browse/HIVE-25444
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Using a config "hive.security.authorization.tables.on.storagehandlers" with 
> default true, we'll enable the authorization on storage handlers by default. 
> Authorization is disabled if this config is set to false. 
> Background: Previously, whenever a user is trying to create a table based on 
> a storage handler, the end user we are seeing in the external storage (Ex: 
> hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition 
> in ranger on the end-user.
> https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue, 
> by enforcing a check in Apache ranger for hive service. This patch had 
> changes in both hive and ranger. (ranger client depends on hive changes). Now 
> the reason why we to make this feature configurable is that users can update 
> hive code but not ranger code. In that case, users see a permission denied 
> error when executing a statement like: {{CREATE TABLE hive_table_0(key int, 
> value string) STORED BY 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} 
> but user/admin cannot add a ranger policy in the hive because ranger code is 
> not updated. By making this feature configurable,  we’ll unblock users from 
> creating tables based on storage handlers as they were previously doing.
> Users can turn 'off' this config if they don't have updated the ranger code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to