[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181717#comment-16181717
]
Thejas M Nair commented on HIVE-17606:
--------------------------------------
* Lets secure this out of the box -
hive.metastore.event.db.notification.api.auth=true. I think we can make this
slightly incompatible change in 3.0.0 release, in the interest of security.
* Can you update the description (this setting could be set in hive-site.xml
also, so the core-site.xml reference is not accurate) ? - "If metastore do
authorization against db notification related APIs such as
get_next_notification. If set to true, then only the superusers in proxy user
settings have the permission"
* Can you add comment to each section of test case describing what its testing
?
* It would be better to re-use the code in HiveAuthFactory.verifyProxyAccess
for proxy verification. However, that code is in service package, we might have
to move that to common.
* Opening curly braces "{" is put at end of the if statement by hive coding
conventions, this change has it both ways.
> Improve security for DB notification related APIs
> -------------------------------------------------
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
> Reporter: Tao Li
> Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
