[
https://issues.apache.org/jira/browse/HIVE-13360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15231417#comment-15231417
]
Thejas M Nair commented on HIVE-13360:
--------------------------------------
Regarding the change to move ip address from the query context object
(HiveAuthzContext/QueryContext) to HiveAuthenticationProvider. I don't think
that is the right place for it.
In HS2 HTTP mode, when proxies and knox servers are between end user and HS2 ,
every request for single session does not have to come via a single IP address.
Current assumption in hive code base is that the IP address is valid for the
entire session. But that is more of a bug.
Also, HIVE-12777 provides the ability to serialize the sessionhandle
(equivalent to a jdbc connection identifier) and restore the session from that.
The restoration could in theory happen from another machine with different IP
address.
Considering this, the correct longer term place for passing the IP address to
authorization plugins is using HiveAuthzContext/QueryContext.
Also, QueryContext is not the best name for the class as it passed for
metastore api calls as well (HiveAuthorizer.filterListCmdObjects), IMO,
something like "ActionContext" would be more appropriate.
However, I don't think its worth changing the name at the cost of changing the
API.
> Refactoring Hive Authorization
> ------------------------------
>
> Key: HIVE-13360
> URL: https://issues.apache.org/jira/browse/HIVE-13360
> Project: Hive
> Issue Type: Sub-task
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Pengcheng Xiong
> Assignee: Pengcheng Xiong
> Fix For: 2.1.0
>
> Attachments: HIVE-13360.01.patch, HIVE-13360.02.patch,
> HIVE-13360.03.patch, HIVE-13360.04.patch, HIVE-13360.final.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
