[jira] [Commented] (HIVE-2616) Passing user identity from metastore client to server in non-secure mode

Tue, 29 Nov 2011 22:50:05 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-2616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159862#comment-13159862
 ] 

Ashutosh Chauhan commented on HIVE-2616:
----------------------------------------

Some details:
Currently metastore client when connecting with metastore server doesn't pass 
on its identity in unsecure mode. In secure mode connection is wrapped into 
sasl connection which does passes the user identity but only after doing 
kerberos based authentication. Hadoop also has similar requirements where 
dfsclient request namenode to perform certain operations on user's behalf. In 
secure mode, user identity is passed through sasl layer and in unsecure mode it 
is passed through connection header. Thrift metastore client-server connection 
however doesn't pass on any connection header at a time of a connection setup. 
So, mimicking what hadoop does can not yield desired result in backward 
compatible way. This patch takes an approach where it sends ugi information as 
a first rpc call from client to server straight after connection setup, which 
server then caches and uses for subsequent rpcs. As a result a new thrift api 
set_ugi() is added. This ensures backward compatibility since old client will 
never make this rpc, so server will continue with its previous behavior, but 
will perform doAs() when ugi information is indeed made available by new 
clients.  

                
> Passing user identity from metastore client to server in non-secure mode
> ------------------------------------------------------------------------
>
>                 Key: HIVE-2616
>                 URL: https://issues.apache.org/jira/browse/HIVE-2616
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>            Reporter: Ashutosh Chauhan
>            Assignee: Ashutosh Chauhan
>         Attachments: hive-2616.patch
>
>
> Currently in unsecure mode client don't pass on user identity. As a result 
> hdfs and other operations done by server gets executed by user running 
> metastore process instead of being done in context of client. This results in 
> problem as reported here: 
> http://mail-archives.apache.org/mod_mbox/hive-user/201111.mbox/%3CCAK0mCrRC3aPqtRHDe2J25Rm0JX6TS1KXxd7KPjqJjoqBjg=a...@mail.gmail.com%3E

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to