Prasad Mujumdar created HIVE-5987:
-------------------------------------
Summary: The secure metastore service should reject connection
from users that it can't impersonate
Key: HIVE-5987
URL: https://issues.apache.org/jira/browse/HIVE-5987
Project: Hive
Issue Type: Bug
Components: Metastore, Security
Affects Versions: 0.12.0
Reporter: Prasad Mujumdar
Assignee: Prasad Mujumdar
The secure metastore always doesn't allow any client to connect without a valid
kerberos ticket. Also the client requests are executed by impersonating the
requesting userid. If metastore principal doesn't have privileges to
impersonate the connecting user, then the DDL operations (eg create table,
partition etc) will fail. However any user with valid Kerberos ticket is can
connect to metastore service and perform read-only metadata operations. For
example, get list of databases, tables; properties of each table like HDFS
location, file type etc.
The secure metastore behavior should be consistent. If a the metastore server
doesn't have privileges to impersonate the connecting user, then it should
reject connection.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
