[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181717#comment-16181717 ]
Thejas M Nair commented on HIVE-17606: -------------------------------------- * Lets secure this out of the box - hive.metastore.event.db.notification.api.auth=true. I think we can make this slightly incompatible change in 3.0.0 release, in the interest of security. * Can you update the description (this setting could be set in hive-site.xml also, so the core-site.xml reference is not accurate) ? - "If metastore do authorization against db notification related APIs such as get_next_notification. If set to true, then only the superusers in proxy user settings have the permission" * Can you add comment to each section of test case describing what its testing ? * It would be better to re-use the code in HiveAuthFactory.verifyProxyAccess for proxy verification. However, that code is in service package, we might have to move that to common. * Opening curly braces "{" is put at end of the if statement by hive coding conventions, this change has it both ways. > Improve security for DB notification related APIs > ------------------------------------------------- > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore > Reporter: Tao Li > Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)