[
https://issues.apache.org/jira/browse/HIVE-25444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sai Hemanth Gantasala updated HIVE-25444:
-----------------------------------------
Description:
Using a config "hive.security.authorization.tables.on.storagehandlers" with
default false, we'll disable the authorization on storage handlers by default.
Authorization is enabled if this config is set to true.
Background: Previously, whenever a user is trying to create a table based on a
storage handler, the end user we are seeing in the external storage (Ex: hbase,
kafka, and druid) is ‘hive’ so we cannot really enforce the condition in ranger
on the end-user.
https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue, by
enforcing a check in Apache ranger for hive service. This patch had changes in
both hive and ranger. (ranger client depends on hive changes.)Now the reason
why I’m disabling this feature by default is that users can updated hive code
but not ranger code. In that case, users see a permission denied error when
executing a statement like: {{CREATE TABLE hive_table_0(key int, value string)
STORED BY 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} but user/admin
cannot add a ranger policy in hive because ranger code is not updated. This way
we’ll unblocked users from creating tables based on storage handlers as they
were previously doing.Users can turn on this config if they have updated ranger
code.
was:
Using a config "hive.security.authorization.tables.on.storagehandlers" with a
default false, we'll disable the authorization on storage handlers by default.
Authorization is enabled if this config is set to true.
Back
> Use a config to disable authorization on tables based on storage handlers by
> default.
> -------------------------------------------------------------------------------------
>
> Key: HIVE-25444
> URL: https://issues.apache.org/jira/browse/HIVE-25444
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Reporter: Sai Hemanth Gantasala
> Assignee: Sai Hemanth Gantasala
> Priority: Major
>
> Using a config "hive.security.authorization.tables.on.storagehandlers" with
> default false, we'll disable the authorization on storage handlers by
> default. Authorization is enabled if this config is set to true.
> Background: Previously, whenever a user is trying to create a table based on
> a storage handler, the end user we are seeing in the external storage (Ex:
> hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition
> in ranger on the end-user.
> https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue,
> by enforcing a check in Apache ranger for hive service. This patch had
> changes in both hive and ranger. (ranger client depends on hive changes.)Now
> the reason why I’m disabling this feature by default is that users can
> updated hive code but not ranger code. In that case, users see a permission
> denied error when executing a statement like: {{CREATE TABLE hive_table_0(key
> int, value string) STORED BY
> 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}} but user/admin cannot
> add a ranger policy in hive because ranger code is not updated. This way
> we’ll unblocked users from creating tables based on storage handlers as they
> were previously doing.Users can turn on this config if they have updated
> ranger code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
