?Yes. That's right. In secure mode, the streaming connection will set hive.metastore.sasl.enabled to true which will create an UGI assuming transport so all thrift calls are done using logged in user.
Thanks and Regards Prasanth Jayachandran ________________________________ From: Stig Rohde Døssing <stigdoess...@gmail.com> Sent: Wednesday, March 13, 2019 12:44 AM To: user@hive.apache.org Subject: Re: Hive-streaming security Thanks Prasanth. Is the automatic authentication a property of the underlying MetaStoreClient? Den ons. 13. mar. 2019 kl. 08.34 skrev Prasanth Jayachandran <pjayachand...@hortonworks.com<mailto:pjayachand...@hortonworks.com>>: Hi If you are logged in, the hive streaming ingest API will use doAs for all metastore calls automatically using the logged in user. Thanks and Regards Prasanth Jayachandran ________________________________ From: Stig Rohde Døssing <stigdoess...@gmail.com<mailto:stigdoess...@gmail.com>> Sent: Wednesday, March 13, 2019 12:19 AM To: user@hive.apache.org<mailto:user@hive.apache.org> Subject: Re: Hive-streaming security Sorry, should have looked harder. The docs say to log in before invoking the API. I think this means I should be wrapping calls with doAs? Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <stigdoess...@gmail.com<mailto:stigdoess...@gmail.com>>: Hi, The hive-hcatalog-streaming client (HiveEndpoint) took a UserGroupInformation in the constructor for connections, and automatically wrapped calls as necessary with UserGroupInformation.doAs. I'm migrating an application from hive-hcatalog-streaming to hive-streaming. There's no mention of security at https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2, and I don't see any doAs in the code. Should I manually wrap calls to HiveStreamingConnection with doAs, or is this handled by the new client? If so, is there a list of calls that should be wrapped?