[jira] [Commented] (HIVE-15120) Storage based auth: allow option to enforce write checks for external tables

Tue, 25 Jul 2017 22:37:55 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-15120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101198#comment-16101198
 ] 

Lefty Leverenz commented on HIVE-15120:
---------------------------------------

Doc note:  This adds 
*hive.metastore.authorization.storage.check.externaltable.drop* to 
HiveConf.java, so it needs to be documented in the wiki.

* [Configuration Properties -- MetaStore | 
https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-MetaStore]

Added TODOC1.3 and TODOC2.2 labels.

> Storage based auth: allow option to enforce write checks for external tables
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-15120
>                 URL: https://issues.apache.org/jira/browse/HIVE-15120
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Thejas M Nair
>            Assignee: Daniel Dai
>              Labels: TODOC1.3, TODOC2.2
>             Fix For: 1.3.0, 2.2.0
>
>         Attachments: HIVE-15120.1.patch, HIVE-15120.2.patch, 
> HIVE-15120.3.patch, HIVE-15120.4.patch
>
>
> Under storage based authorization, we don't require write permissions on 
> table directory for external table create/drop.
> This is because external table contents are populated often from outside of 
> hive and are not written into from hive. So write access is not needed. Also, 
> we can't require write permissions to drop a table if we don't require them 
> for creation (users who created them should be able to drop them).
> However, this difference in behavior of external tables is not well 
> documented. So users get surprised to learn that drop table can be done by 
> just any user who has read access to the directory. At that point changing 
> the large number of scripts that use external tables is hard. 
> It would be good to have a user config option to have external tables to be 
> treated same as managed tables.
> The option should be off by default, so that the behavior is backward 
> compatible by default.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to