[jira] [Commented] (HIVE-9681) Extend HiveAuthorizationProvider to support partition-sets.
[
https://issues.apache.org/jira/browse/HIVE-9681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14521203#comment-14521203
]
Sushanth Sowmyan commented on HIVE-9681:
+1, tests failures are unrelated.
Extend HiveAuthorizationProvider to support partition-sets.
---
Key: HIVE-9681
URL: https://issues.apache.org/jira/browse/HIVE-9681
Project: Hive
Issue Type: Bug
Components: Security
Affects Versions: 0.14.0
Reporter: Mithun Radhakrishnan
Assignee: Mithun Radhakrishnan
Attachments: HIVE-9681.1.patch, HIVE-9681.2.patch
{{HiveAuthorizationProvider}} allows only for the authorization of a single
partition at a time. For instance, when the {{StorageBasedAuthProvider}} must
authorize an operation on a set of partitions (say from a
PreDropPartitionEvent), each partition's data-directory needs to be checked
individually. For N partitions, this results in N namenode calls.
I'd like to add {{authorize()}} overloads that accept multiple partitions.
This will allow StorageBasedAuthProvider to make batched namenode calls.
P.S. There's 2 further optimizations that are possible:
1. In the ideal case, we'd have a single call in
{{org.apache.hadoop.fs.FileSystem}} to check access for an array of Paths,
something like:
{code:title=FileSystem.java|borderStyle=solid}
@InterfaceAudience.LimitedPrivate({HDFS, Hive})
public void access(Path [] paths, FsAction mode) throws
AccessControlException, FileNotFoundException, IOException
{...}
{code}
2. We can go one better if we could retrieve partition-locations in DirectSQL
and use those for authorization. The EventListener-abstraction behind which
the AuthProviders operate make this difficult. I can attempt to solve this
using a PartitionSpec and a call-back into the ObjectStore from
StorageBasedAuthProvider. I'll save this rigmarole for later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-9681) Extend HiveAuthorizationProvider to support partition-sets.
[
https://issues.apache.org/jira/browse/HIVE-9681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14518861#comment-14518861
]
Sushanth Sowmyan commented on HIVE-9681:
+1, marking as patch-available for tests to run, now that HIVE-9674 has been
committed.
Extend HiveAuthorizationProvider to support partition-sets.
---
Key: HIVE-9681
URL: https://issues.apache.org/jira/browse/HIVE-9681
Project: Hive
Issue Type: Bug
Components: Security
Affects Versions: 0.14.0
Reporter: Mithun Radhakrishnan
Assignee: Mithun Radhakrishnan
Attachments: HIVE-9681.1.patch, HIVE-9681.2.patch
{{HiveAuthorizationProvider}} allows only for the authorization of a single
partition at a time. For instance, when the {{StorageBasedAuthProvider}} must
authorize an operation on a set of partitions (say from a
PreDropPartitionEvent), each partition's data-directory needs to be checked
individually. For N partitions, this results in N namenode calls.
I'd like to add {{authorize()}} overloads that accept multiple partitions.
This will allow StorageBasedAuthProvider to make batched namenode calls.
P.S. There's 2 further optimizations that are possible:
1. In the ideal case, we'd have a single call in
{{org.apache.hadoop.fs.FileSystem}} to check access for an array of Paths,
something like:
{code:title=FileSystem.java|borderStyle=solid}
@InterfaceAudience.LimitedPrivate({HDFS, Hive})
public void access(Path [] paths, FsAction mode) throws
AccessControlException, FileNotFoundException, IOException
{...}
{code}
2. We can go one better if we could retrieve partition-locations in DirectSQL
and use those for authorization. The EventListener-abstraction behind which
the AuthProviders operate make this difficult. I can attempt to solve this
using a PartitionSpec and a call-back into the ObjectStore from
StorageBasedAuthProvider. I'll save this rigmarole for later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
