[
https://issues.apache.org/jira/browse/HIVE-3705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Phabricator updated HIVE-3705:
------------------------------
Attachment: HIVE-3705.D6681.1.patch
khorgath requested code review of "HIVE-3705 [jira] Adding authorization
capability to the metastore".
Reviewers: JIRA
HIVE-3705 Enabling authorization from the metastore:
New HiveConf parameters:
hive.security.metastore.authorization.enabled : true/false determining
whether or not to do authorization in the metastore
hive.security.metastore.authorization.manager : The class to load to do
metastore-side authorization
hive.security.metastore.authenticator.manager : The class to load to do
metastore-side authentication
If the first parameter isn't set, default behaviour of hive in both
client-mode and metastore-mode is not affected, and this is disabled by default.
New Interface :
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
:
an extension of HiveAuthorizationProvider, except with one more
function that allows the metastore to pass a HMSHandler to it
Modifications of existing classes :
Minor modifications :
ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java :
added ability to instantiate
HiveAuth{orization,entication}Providers given HiveConf key to use
ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
:
changed to account for above
Major modifications :
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
:
refactored to introduce a new HiveProxy that can proxy
for either a hive object or a HMSHandler to perform necessary metadata
operations
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
:
refactored most of the functionality into a new class :
BitSetCheckedAuthorizationProvider, which in turn is extended trivially by
DefaultHiveAuthorizationProvider and
DefaultHiveMetastoreAuthorizationProvider which implement small glue
functionality to make them
work from the hive client side and from the hive
metastore respectively.
New Classes :
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
:
As discussed above.
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
:
As discussed above.
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
:
An implementation of the Hive Metastore PreEventListener
interface that kicks off the metastore-side authorization
TEST PLAN
Following testcases added :
ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java
In an environment where multiple clients access a single metastore, and we
want to evolve hive security to a point where it's no longer simply preventing
users from shooting their own foot, we need to be able to authorize metastore
calls as well, instead of simply performing every metastore api call that's
made.
REVISION DETAIL
https://reviews.facebook.net/D6681
AFFECTED FILES
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
conf/hive-default.xml.template
ql/src/java/org/apache/hadoop/hive/ql/metadata/HiveUtils.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationPreEventListener.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationProvider.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveMetastoreAuthorizationProvider.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java
ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
ql/src/test/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java
ql/src/test/org/apache/hadoop/hive/ql/security/TestAuthorizationPreEventListener.java
ql/src/test/org/apache/hadoop/hive/ql/security/TestDefaultHiveMetastoreAuthorizationProvider.java
MANAGE HERALD DIFFERENTIAL RULES
https://reviews.facebook.net/herald/view/differential/
WHY DID I GET THIS EMAIL?
https://reviews.facebook.net/herald/transcript/15915/
To: JIRA, khorgath
> Adding authorization capability to the metastore
> ------------------------------------------------
>
> Key: HIVE-3705
> URL: https://issues.apache.org/jira/browse/HIVE-3705
> Project: Hive
> Issue Type: New Feature
> Components: Authorization, Metastore
> Reporter: Sushanth Sowmyan
> Attachments: HIVE-3705.D6681.1.patch, hivesec_investigation.pdf
>
>
> In an environment where multiple clients access a single metastore, and we
> want to evolve hive security to a point where it's no longer simply
> preventing users from shooting their own foot, we need to be able to
> authorize metastore calls as well, instead of simply performing every
> metastore api call that's made.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
