I assume when you say thrift interface, you mean a separate metastore process running. If so,
>> Do i understand it correctly that in the thrift interface does provide a way to communicate the identity but in unsecured mode it is not being used? Yes. Better way to say this is identity is communicated only in case of secure mode. >> And does this mean that if i care about seeing the correct user execute the query in the logs, i have to use secure hadoop (with Kerberos)? Yes. Though, technically it is possible to achieve this even without secure hadoop, its not the case currently mainly because logging identities in unsecure environment is anyway useless since one can easily impersonate another and whole point of logging is lost then. >> Does secure mode suport hive JDBC? I am not sure about this. Do you mean users and their roles as they exist in hive metastore and if you make a jdbc connection using credentials stored in it? By the way, I am still confused about user "thrift". Is there any process run by user "thrift" Hope it helps, Ashutosh On Tue, Sep 6, 2011 at 09:09, Koert Kuipers <ko...@tresata.com> wrote: > The metastore is running as user "hive", and we are indeed running > unsecured mode. > Do i understand it correctly that in the thrift interface does provide a > way to communicate the identity but in unsecured mode it is not being used? > And does this mean that if i care about seeing the correct user execute the > query in the logs, i have to use secure hadoop (with Kerberos)? > Does secure mode suport hive JDBC? > Thanks! Koert > > > On Tue, Sep 6, 2011 at 11:47 AM, Ashutosh Chauhan <hashut...@apache.org>wrote: > >> Hey Koert, >> >> I am assuming 'thrift' is the name of user through which thrift metastore >> is running. I also assume you are running in unsecure mode. If you run with >> security turned on, meaning secure hadoop cluster with secure thrift server, >> you will see the name of the original user. This is so because in secure >> mode, metastore server proxies the original user through doAs() which >> preserves the identity which is not the case in unsecure mode. >> Through hive client you see the usernames correctly even In unsecure mode >> because its a hive client process (which is run as koert) which does the >> filesystem operations. >> >> Hope it helps, >> Ashutosh >> >> >> On Tue, Sep 6, 2011 at 08:22, Koert Kuipers <ko...@tresata.com> wrote: >> >>> When i run a query from the hive command line client i can see that it is >>> being run as me (for example, in HDFS log i see INFO >>> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.audit: ugi=koert). >>> >>> But when i do anything with the thrift interface my username is lost (i >>> see ugi=thrift in HDFS logs). Is there a way in the thrift interface to >>> communicate/preserve the username? >>> And if this is possible in thrift, then what about jdbc? i tried creating >>> a jdbc connection with username and password passed in but as far as i can >>> see it is ignored (ugi=thrift again in the HDFS logs). >>> >>> >> >
