[
https://issues.apache.org/jira/browse/HIVE-5987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prasad Mujumdar updated HIVE-5987:
----------------------------------
Attachment: HIVE-5987.1.patch
> The secure metastore service should reject connection from users that it
> can't impersonate
> ------------------------------------------------------------------------------------------
>
> Key: HIVE-5987
> URL: https://issues.apache.org/jira/browse/HIVE-5987
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security
> Affects Versions: 0.12.0
> Reporter: Prasad Mujumdar
> Assignee: Prasad Mujumdar
> Attachments: HIVE-5987.1.patch
>
>
> The secure metastore always doesn't allow any client to connect without a
> valid kerberos ticket. Also the client requests are executed by impersonating
> the requesting userid. If metastore principal doesn't have privileges to
> impersonate the connecting user, then the DDL operations (eg create table,
> partition etc) will fail. However any user with valid Kerberos ticket is can
> connect to metastore service and perform read-only metadata operations. For
> example, get list of databases, tables; properties of each table like HDFS
> location, file type etc.
> The secure metastore behavior should be consistent. If a the metastore server
> doesn't have privileges to impersonate the connecting user, then it should
> reject connection.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
