[
https://issues.apache.org/jira/browse/HIVE-78?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12923719#action_12923719
]
Todd Lipcon commented on HIVE-78:
---------------------------------
I'm a little unclear on how the user identity is passed down to the MR layer.
Carl and I had chatted about this a few weeks back -- is the idea now that all
hive queries will run MR jobs as a "hive" user, rather than "todd"? If so, we
need to add authorization control for UDFs and TRANSFORM as well, since a user
could trivially take over the "hive" user credentials from within a UDF. If the
MR jobs will continue to run as "todd", then I don't understand how we can
apply any permissions model that is any different than HDFS permissions. More
restrictive is impossible because I can just read the files myself, and less
restrictive is impossible because HDFS is applying permissions based on the
"todd" identity.
> Authorization infrastructure for Hive
> -------------------------------------
>
> Key: HIVE-78
> URL: https://issues.apache.org/jira/browse/HIVE-78
> Project: Hive
> Issue Type: New Feature
> Components: Server Infrastructure
> Reporter: Ashish Thusoo
> Assignee: He Yongqiang
> Attachments: createuser-v1.patch, hive-78-metadata-v1.patch,
> hive-78-syntax-v1.patch, hive-78.diff
>
>
> Allow hive to integrate with existing user repositories for authentication
> and authorization infromation.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
