[
https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15223029#comment-15223029
]
Siddharth Seth commented on HIVE-13391:
---------------------------------------
bq. I actually want to minimize the scope of login from keytab to only the
necessary points. Also current user is set only in doAs, do you want to run all
of init in doAs
Don't really see a problem in doing this. This ofcourse relies on external
access being secured properly.
bq. I actually want to minimize the scope of login from keytab to only the
necessary points. Also current user is set only in doAs, do you want to run all
of init in doAs
It definitely breaks storage based auth. Data will only be accessible if the
hive user has read access.
bq. As for FS, I see. It doesn't use UGI as key, it just iterates thru all the
FSes.
FileSystem.get() - eventually looks up a cache, which uses ugi as part of the
key (the 'Key' class in FileSystem). Both hashCode and equals compare the ugi.
The subject is compared as object equivalence. (return subject ==
((UserGroupInformation) o).subject;)
> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
> Key: HIVE-13391
> URL: https://issues.apache.org/jira/browse/HIVE-13391
> Project: Hive
> Issue Type: Bug
> Reporter: Sergey Shelukhin
> Assignee: Sergey Shelukhin
> Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't
> propagate HDFS tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
