[
https://issues.apache.org/jira/browse/HIVE-9681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mithun Radhakrishnan updated HIVE-9681:
---------------------------------------
Attachment: HIVE-9681.1.patch
Here's a proposal.
> Extend HiveAuthorizationProvider to support partition-sets.
> -----------------------------------------------------------
>
> Key: HIVE-9681
> URL: https://issues.apache.org/jira/browse/HIVE-9681
> Project: Hive
> Issue Type: Bug
> Components: Security
> Affects Versions: 0.14.0
> Reporter: Mithun Radhakrishnan
> Assignee: Mithun Radhakrishnan
> Attachments: HIVE-9681.1.patch
>
>
> {{HiveAuthorizationProvider}} allows only for the authorization of a single
> partition at a time. For instance, when the {{StorageBasedAuthProvider}} must
> authorize an operation on a set of partitions (say from a
> PreDropPartitionEvent), each partition's data-directory needs to be checked
> individually. For N partitions, this results in N namenode calls.
> I'd like to add {{authorize()}} overloads that accept multiple partitions.
> This will allow StorageBasedAuthProvider to make batched namenode calls.
> P.S. There's 2 further optimizations that are possible:
> 1. In the ideal case, we'd have a single call in
> {{org.apache.hadoop.fs.FileSystem}} to check access for an array of Paths,
> something like:
> {code:title=FileSystem.java|borderStyle=solid}
> @InterfaceAudience.LimitedPrivate({"HDFS", "Hive"})
> public void access(Path [] paths, FsAction mode) throws
> AccessControlException, FileNotFoundException, IOException
> {...}
> {code}
> 2. We can go one better if we could retrieve partition-locations in DirectSQL
> and use those for authorization. The EventListener-abstraction behind which
> the AuthProviders operate make this difficult. I can attempt to solve this
> using a PartitionSpec and a call-back into the ObjectStore from
> StorageBasedAuthProvider. I'll save this rigmarole for later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
