[jira] [Comment Edited] (HIVE-15120) Storage based auth: allow option to enforce write checks for external tables

Thu, 07 Dec 2017 17:27:01 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-15120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16156688#comment-16156688
 ] 

Lefty Leverenz edited comment on HIVE-15120 at 12/8/17 12:30 AM:
-----------------------------------------------------------------

In the code, the flag, 
hive.metastore.authorization.storage.check.externaltable.drop, is true by 
default. 
But In comments, it saids "The flag is set to false by default to maintain 
backward compatibility."
Comments /Doc or the flag default value, should be modified.

Edit 07/Dec/17:  Just a typo fix (flay -> flag) but also a +1 for fixing the 
parameter description.


was (Author: yuan_zac):
In the code, the flag, 
hive.metastore.authorization.storage.check.externaltable.drop, is true by 
default. 
But In comments, it saids "The flag is set to false by default to maintain 
backward compatibility."
Comments /Doc or the flay default value, should be modified.  

> Storage based auth: allow option to enforce write checks for external tables
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-15120
>                 URL: https://issues.apache.org/jira/browse/HIVE-15120
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Thejas M Nair
>            Assignee: Daniel Dai
>              Labels: TODOC1.3, TODOC2.2
>             Fix For: 1.3.0, 2.2.0
>
>         Attachments: HIVE-15120.1.patch, HIVE-15120.2.patch, 
> HIVE-15120.3.patch, HIVE-15120.4.patch
>
>
> Under storage based authorization, we don't require write permissions on 
> table directory for external table create/drop.
> This is because external table contents are populated often from outside of 
> hive and are not written into from hive. So write access is not needed. Also, 
> we can't require write permissions to drop a table if we don't require them 
> for creation (users who created them should be able to drop them).
> However, this difference in behavior of external tables is not well 
> documented. So users get surprised to learn that drop table can be done by 
> just any user who has read access to the directory. At that point changing 
> the large number of scripts that use external tables is hard. 
> It would be good to have a user config option to have external tables to be 
> treated same as managed tables.
> The option should be off by default, so that the behavior is backward 
> compatible by default.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to