[
https://issues.apache.org/jira/browse/HIVE-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12978176#action_12978176
]
John Sichi commented on HIVE-1696:
----------------------------------
HIVE-78 (which is really large, and conflicts with this one due to the
metastore codegen) has been wending its way through review for quite some time;
I think Namit is going to try to get it committed tomorrow, and then we'll need
an update on this one.
A few comments from me:
* HIVE-78's metastore API additions also references "principal", but it has a
different meaning, so we should find a way to distinguish them.
* The new conf variable should be named hive.metastore.token.signature
* In HadoopShims.java, the overload for getTokenStrForm needs Javadoc for the
tokenSignature parameter
> Add delegation token support to metastore
> -----------------------------------------
>
> Key: HIVE-1696
> URL: https://issues.apache.org/jira/browse/HIVE-1696
> Project: Hive
> Issue Type: Sub-task
> Components: Metastore, Security, Server Infrastructure
> Reporter: Todd Lipcon
> Fix For: 0.7.0
>
> Attachments: hive-1696-1-with-gen-code.patch, hive-1696-1.patch,
> hive-1696-3-with-gen-code.patch, hive-1696-3.patch, hive_1696.patch,
> hive_1696.patch, hive_1696_no-thrift.patch
>
>
> As discussed in HIVE-842, kerberos authentication is only sufficient for
> authentication of a hive user client to the metastore. There are other cases
> where thrift calls need to be authenticated when the caller is running in an
> environment without kerberos credentials. For example, an MR task running as
> part of a hive job may want to report statistics to the metastore, or a job
> may be running within the context of Oozie or Hive Server.
> This JIRA is to implement support of delegation tokens for the metastore. The
> concept of a delegation token is borrowed from the Hadoop security design -
> the quick summary is that a kerberos-authenticated client may retrieve a
> binary token from the server. This token can then be passed to other clients
> which can use it to achieve authentication as the original user in lieu of a
> kerberos ticket.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
