[ 
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181717#comment-16181717
 ] 

Thejas M Nair commented on HIVE-17606:
--------------------------------------

 * Lets secure this out of the box - 
hive.metastore.event.db.notification.api.auth=true. I think we can make this 
slightly incompatible change in 3.0.0 release, in the interest of security.
 * Can you update the description (this setting could be set in hive-site.xml 
also, so the core-site.xml reference is not accurate) ? - "If metastore do 
authorization against db notification related APIs such as 
get_next_notification. If set to true, then only the superusers in proxy user 
settings have the permission" 
 * Can you add comment to each section of test case describing what its testing 
?
 * It would be better to re-use the code in HiveAuthFactory.verifyProxyAccess 
for proxy verification. However, that code is in service package, we might have 
to move that to common.
 * Opening curly braces "{" is put at end of the if statement by hive coding 
conventions, this change has it both ways.


> Improve security for DB notification related APIs
> -------------------------------------------------
>
>                 Key: HIVE-17606
>                 URL: https://issues.apache.org/jira/browse/HIVE-17606
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore
>            Reporter: Tao Li
>            Assignee: Tao Li
>         Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, 
> HIVE-17606.3.patch
>
>
> The purpose is to make sure only the superusers which are specified in the 
> proxyuser settings can make the db notification related API calls, since this 
> is supposed to be called by superuser/admin instead of any end user.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to