[jira] [Commented] (HIVE-15120) Storage based auth: allow option to enforce write checks for external tables

Fri, 04 Nov 2016 19:35:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-15120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15638405#comment-15638405
 ] 

Thejas M Nair commented on HIVE-15120:
--------------------------------------

 * I think we can enable this flag to true for new releases, and for backport 
to 2.1 we can set this to false, so that we don't change behavior in a bug fix 
release.
 * driver.run("remoke drop on table "+tblName+" from user "+userName);  - It 
should be revoke. ( looks like the protected methods don't get run anyways!)
 * The test added in TestStorageBasedMetastoreAuthorizationProvider isn't 
running, I assume that is because it is protected, not public method. See 
https://builds.apache.org/job/PreCommit-HIVE-Build/1977/testReport/org.apache.hadoop.hive.ql.security/TestStorageBasedMetastoreAuthorizationProvider/
 * +  private Configuration conf; . This isn't necessary. Looks like getConf() 
already returns the config
 * Use   
conf.getBoolean(HiveConf.ConfVars.METASTORE_AUTHORIZATION_EXTERNALTABLE_DROP_CHECK.varname,
 false) = >   
conf.getBoolean(HiveConf.ConfVars.METASTORE_AUTHORIZATION_EXTERNALTABLE_DROP_CHECK.varname,
 
HiveConf.ConfVars.METASTORE_AUTHORIZATION_EXTERNALTABLE_DROP_CHECK.defaultBoolVal)
  . 
We should to a cleanup later to just use HiveConf in the class.


> Storage based auth: allow option to enforce write checks for external tables
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-15120
>                 URL: https://issues.apache.org/jira/browse/HIVE-15120
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Thejas M Nair
>            Assignee: Daniel Dai
>         Attachments: HIVE-15120.1.patch
>
>
> Under storage based authorization, we don't require write permissions on 
> table directory for external table create/drop.
> This is because external table contents are populated often from outside of 
> hive and are not written into from hive. So write access is not needed. Also, 
> we can't require write permissions to drop a table if we don't require them 
> for creation (users who created them should be able to drop them).
> However, this difference in behavior of external tables is not well 
> documented. So users get surprised to learn that drop table can be done by 
> just any user who has read access to the directory. At that point changing 
> the large number of scripts that use external tables is hard. 
> It would be good to have a user config option to have external tables to be 
> treated same as managed tables.
> The option should be off by default, so that the behavior is backward 
> compatible by default.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to