[
https://issues.apache.org/jira/browse/HIVE-25444?focusedWorklogId=733673&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-733673
]
ASF GitHub Bot logged work on HIVE-25444:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 28/Feb/22 00:17
Start Date: 28/Feb/22 00:17
Worklog Time Spent: 10m
Work Description: github-actions[bot] closed pull request #2583:
URL: https://github.com/apache/hive/pull/2583
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 733673)
Time Spent: 50m (was: 40m)
> Make tables based on storage handlers authorization (HIVE-24705) configurable.
> ------------------------------------------------------------------------------
>
> Key: HIVE-25444
> URL: https://issues.apache.org/jira/browse/HIVE-25444
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Reporter: Sai Hemanth Gantasala
> Assignee: Sai Hemanth Gantasala
> Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Using a config "hive.security.authorization.tables.on.storagehandlers" with
> default true, we'll enable the authorization on storage handlers by default.
> Authorization is disabled if this config is set to false.
> Background: Previously, whenever a user is trying to create a table based on
> a storage handler, the end user we are seeing in the external storage (Ex:
> hbase, kafka, and druid) is ‘hive’ so we cannot really enforce the condition
> in ranger on the end-user.
> https://issues.apache.org/jira/browse/HIVE-24705 solved this security issue,
> by enforcing a check in Apache ranger for hive service. This patch had
> changes in both hive and ranger. (ranger client depends on hive changes). Now
> the reason why we to make this feature configurable is that users can update
> hive code but not ranger code. In that case, users see a permission denied
> error when executing a statement like: {{CREATE TABLE hive_table_0(key int,
> value string) STORED BY 'org.apache.hadoop.hive.hbase.HBaseStorageHandler'}}
> but user/admin cannot add a ranger policy in the hive because ranger code is
> not updated. By making this feature configurable, we’ll unblock users from
> creating tables based on storage handlers as they were previously doing.
> Users can turn 'off' this config if they don't have updated the ranger code.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
