[
https://issues.apache.org/jira/browse/HIVE-28739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HIVE-28739:
----------------------------------
Labels: pull-request-available (was: )
> support restricting users to create deferred view
> -------------------------------------------------
>
> Key: HIVE-28739
> URL: https://issues.apache.org/jira/browse/HIVE-28739
> Project: Hive
> Issue Type: New Feature
> Components: Authorization
> Reporter: YUBI LEE
> Assignee: YUBI LEE
> Priority: Minor
> Labels: pull-request-available
>
> In our environment, we use Impala with HiveMetastore. Since "impala" user is
> a proxy user, if I create a view through Impala, it will create a view, not a
> deferred view. (impala doesn't have impersonation support)
> In our policy, we want to force users to create deferred view if there is no
> special reason not to create deferred view in order to follow permissions of
> source tables.
> So I tried to exclude "impala" user from proxy user, there is some bottle
> neck and the change even causes impala cluster hang. I guess that with
> HiveMetastoreAuthorizer, impala cannot skip authorization if I exclude
> "impala" user from proxy user.
> Also, on impala side, Ranger authorization is already applied. It is
> meaningless because the same hive policy applied already on impala side.
> Therefore, I gave up to exclude "impala" user from proxy user.
> As a result, I suggest a new configuration
> "metastore.users.restricted_to_deferred_view" to support a feature that makes
> some of proxyusers to be forced to create deferred view.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
