[
https://issues.apache.org/jira/browse/HIVE-5928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13839442#comment-13839442
]
Thejas M Nair commented on HIVE-5928:
-------------------------------------
The operation types for grant in HiveOperation are not sufficient for this
interface. It has only GRANT_PRIVILEGE and REVOKE_PRIVILEGE . It needs to be
extended to be able to authorize the specific privilege being granted. However,
the privileges will depend on the authorization model. So the privilege will
need to be passed to the authorization calls as a string.
> Add a hive authorization plugin api that does not assume privileges needed
> --------------------------------------------------------------------------
>
> Key: HIVE-5928
> URL: https://issues.apache.org/jira/browse/HIVE-5928
> Project: Hive
> Issue Type: Sub-task
> Components: Authorization
> Reporter: Thejas M Nair
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> The existing HiveAuthorizationProvider interface implementations can be used
> to support custom authorization models.
> But this interface limits the customization for these reasons -
> 1. It has assumptions about the privileges required for an action.
> 2. It does have not functions that you can implement for having custom ways
> of doing the actions of access control statements.
> This jira proposes a new interface HiveBaseAuthorizationProvider that does
> not make assumptions of the privileges required for the actions. The
> authorize() functions will be equivalent of authorize(<hive object>,
> <action>). It will also have functions that will be called from the access
> control statements.
> The current HiveAuthorizationProvider will continue to be supported for
> backward compatibility. There will be a subclass of
> HiveBaseAuthorizationProvider that executes actions using this interface.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
