Yes i am using HiveServer2, but we haven't enabled SqlStdAuth yet. Are you saying with SqlStdAuth enabled, impersonation with doAs is not required because Hive will do the right thing with table ownership, auditing etc, i.e. run the command as the logged on user?
On Thu, Dec 4, 2014 at 6:32 PM, Gopal V <gop...@apache.org> wrote: > > On 12/3/14, 3:34 PM, Pala M Muthaia wrote: > >> I didn't know doAs needs to be turned off. But I don't think that is >> something to give up - users create tables, manage data, query etc, and we >> need the queries/jobs to run as the user who submitted them for various >> purposes including authorization, auditing, table ownership etc. >> > > Not sure if you're trying to use HiveServer2 with ACL'd tables. > > https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+ > Authorization#SQLStandardBasedHiveAuthorization-Configuration > > clearly indicates that to fully secure a HiveServer2 install for role > based authorization, doAs has to be turned off for the query execution. > > doAs=false is required for authorization, auditing and table ownership to > work correctly. > > Cheers, > Gopal >
