Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.4
    • Component/s: security
    • Labels:
      None

      Description

      As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

      1. hcat-auth_v1.patch
        63 kB
        Enis Soztutar

        Issue Links

          Activity

          Enis Soztutar created issue -
          Hide
          Enis Soztutar added a comment -

          Attaching initial version of the patch to add storage handler specific authorization provider support as discussed in the parent issue.

          Some of the patch notes:

          • Added a DelegationAuthorizationProvider which delegates to either HDFS authorizationprovider or the storage specific one.
          • HDFSAuthorization provider checks for access level for the given path as discussed in https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design. Simply, if you want to alter/create an object at a specific location, you have to have read/write access to that location. This just extends what is already enforced by AuthUtils.
          • the authorization provider is invoked from the semantic analyzer, but uses the already parsed statement definitions from Hive. Hive invokes the auth provider from Driver.doAuthorization(). However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation.
          • This patch does not yet include the auth provider for secure HBase. I'll do that in the next version. In the meantime, reviews for design are more than welcome.
          • The patch includes extensive unit tests, mostly in CLI, so the expected behavior can be understood from the unit test.
          Show
          Enis Soztutar added a comment - Attaching initial version of the patch to add storage handler specific authorization provider support as discussed in the parent issue. Some of the patch notes: Added a DelegationAuthorizationProvider which delegates to either HDFS authorizationprovider or the storage specific one. HDFSAuthorization provider checks for access level for the given path as discussed in https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design . Simply, if you want to alter/create an object at a specific location, you have to have read/write access to that location. This just extends what is already enforced by AuthUtils. the authorization provider is invoked from the semantic analyzer, but uses the already parsed statement definitions from Hive. Hive invokes the auth provider from Driver.doAuthorization(). However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation. This patch does not yet include the auth provider for secure HBase. I'll do that in the next version. In the meantime, reviews for design are more than welcome. The patch includes extensive unit tests, mostly in CLI, so the expected behavior can be understood from the unit test.
          Enis Soztutar made changes -
          Field Original Value New Value
          Attachment hcat-auth_v1.patch [ 12513101 ]
          Hide
          Ashutosh Chauhan added a comment -

          Can you generate a patch without a/ b/ prefixes? Or, is there a way to tell patch command to ignore them ?

          Show
          Ashutosh Chauhan added a comment - Can you generate a patch without a/ b/ prefixes? Or, is there a way to tell patch command to ignore them ?
          Hide
          Enis Soztutar added a comment -

          The -p argument in patch indicates how many prefix directories should it exclude. So git provided patches can be applied with -p1

          patch -p1 </path/to/patch. 
          
          Show
          Enis Soztutar added a comment - The -p argument in patch indicates how many prefix directories should it exclude. So git provided patches can be applied with -p1 patch -p1 </path/to/patch.
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3778/
          -----------------------------------------------------------

          Review request for Ashutosh Chauhan, Sushanth Sowmyan and enis.

          Summary
          -------

          Attaching initial version of the patch to add storage handler specific authorization provider support as discussed in the parent issue.

          Some of the patch notes:

          Added a DelegationAuthorizationProvider which delegates to either HDFS authorizationprovider or the storage specific one.
          HDFSAuthorization provider checks for access level for the given path as discussed in https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design. Simply, if you want to alter/create an object at a specific location, you have to have read/write access to that location. This just extends what is already enforced by AuthUtils.
          the authorization provider is invoked from the semantic analyzer, but uses the already parsed statement definitions from Hive. Hive invokes the auth provider from Driver.doAuthorization(). However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation.
          This patch does not yet include the auth provider for secure HBase. I'll do that in the next version. In the meantime, reviews for design are more than welcome.
          The patch includes extensive unit tests, mostly in CLI, so the expected behavior can be understood from the unit test.

          This addresses bug HCATALOG-245.
          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs


          trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 1241601
          trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 1241601
          trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION
          trunk/src/java/org/apache/hcatalog/common/AuthUtils.java 1241601
          trunk/src/java/org/apache/hcatalog/security/DelegationAuthorizationProvider.java PRE-CREATION
          trunk/src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION
          trunk/src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3778/diff

          Testing
          -------

          Thanks,

          Alan

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3778/ ----------------------------------------------------------- Review request for Ashutosh Chauhan, Sushanth Sowmyan and enis. Summary ------- Attaching initial version of the patch to add storage handler specific authorization provider support as discussed in the parent issue. Some of the patch notes: Added a DelegationAuthorizationProvider which delegates to either HDFS authorizationprovider or the storage specific one. HDFSAuthorization provider checks for access level for the given path as discussed in https://cwiki.apache.org/confluence/display/HCATALOG/Hcat+Security+Design . Simply, if you want to alter/create an object at a specific location, you have to have read/write access to that location. This just extends what is already enforced by AuthUtils. the authorization provider is invoked from the semantic analyzer, but uses the already parsed statement definitions from Hive. Hive invokes the auth provider from Driver.doAuthorization(). However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation. This patch does not yet include the auth provider for secure HBase. I'll do that in the next version. In the meantime, reviews for design are more than welcome. The patch includes extensive unit tests, mostly in CLI, so the expected behavior can be understood from the unit test. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 1241601 trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 1241601 trunk/src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION trunk/src/java/org/apache/hcatalog/common/AuthUtils.java 1241601 trunk/src/java/org/apache/hcatalog/security/DelegationAuthorizationProvider.java PRE-CREATION trunk/src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION trunk/src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3778/diff Testing ------- Thanks, Alan
          Hide
          Alan Gates added a comment -

          However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation.

          I don't follow. You are saying that we still need to do the checks in HCatSemanticAnalyzer and cannot simply rely on Hive's checks, correct? Hence your patch has HCatSemanticAnalyzer still doing many checks. But this means HCat security is not simply a different implementation of Hive security, which was one of the goals here. What information is missing? HiveAuthorizationProvider.authorize is passed the database or table object, which includes the location information.

          Show
          Alan Gates added a comment - However, most of the privileges in HiveOperation are not sufficient, and the fact that dbs, tables and partitions can specify custom locations means that we cannot use pure Hive's enforcement of auth provider implementation. I don't follow. You are saying that we still need to do the checks in HCatSemanticAnalyzer and cannot simply rely on Hive's checks, correct? Hence your patch has HCatSemanticAnalyzer still doing many checks. But this means HCat security is not simply a different implementation of Hive security, which was one of the goals here. What information is missing? HiveAuthorizationProvider.authorize is passed the database or table object, which includes the location information.
          Hide
          Enis Soztutar added a comment -

          There are a couple of things missing in Hive's auth.

          • The auth calls for CREATE operations are not called with the target object. For example, CREATE TABLE calls authorize(db,..), but not (table, ...). This prevents the location checks to be done on the table.
          • ALTER TABlE or PARTITION statements for changing the table's location does not very well fit into the interface. In the patch, for alter table location statements, we check for write access for both the old table location and new table location.
          • Database operations are not associated with required privileges in HiveOperation. This means Hive itself does not check any authorization for db operations.

          Having said that, these can be fixed in Hive, but it will take some time, since the changes should also not effect the current Hive's auth implementation. I would suggest going with this patch, and opening another one for backporting the Delegation,hdfs and HBase auth provides to Hive. WDYT?

          Show
          Enis Soztutar added a comment - There are a couple of things missing in Hive's auth. The auth calls for CREATE operations are not called with the target object. For example, CREATE TABLE calls authorize(db,..), but not (table, ...). This prevents the location checks to be done on the table. ALTER TABlE or PARTITION statements for changing the table's location does not very well fit into the interface. In the patch, for alter table location statements, we check for write access for both the old table location and new table location. Database operations are not associated with required privileges in HiveOperation. This means Hive itself does not check any authorization for db operations. Having said that, these can be fixed in Hive, but it will take some time, since the changes should also not effect the current Hive's auth implementation. I would suggest going with this patch, and opening another one for backporting the Delegation,hdfs and HBase auth provides to Hive. WDYT?
          Hide
          Ashutosh Chauhan added a comment -

          This is leading to leaky abstraction. We should enhance AuthProvider interface if its in current form its not sufficient. There are two concerns I have as such in current implementation:

          • We are still doing all the checks in HCatalog Client, so using that interface is not really of much use.
          • It introduces Hive internal Datastructures like DDLTask, DDLWork, CreateTableDesc etc. into HCatalog, which if possible we should avoid to maintain code modularity.
          Show
          Ashutosh Chauhan added a comment - This is leading to leaky abstraction. We should enhance AuthProvider interface if its in current form its not sufficient. There are two concerns I have as such in current implementation: We are still doing all the checks in HCatalog Client, so using that interface is not really of much use. It introduces Hive internal Datastructures like DDLTask, DDLWork, CreateTableDesc etc. into HCatalog, which if possible we should avoid to maintain code modularity.
          Enis Soztutar made changes -
          Link This issue is blocked by HCATALOG-235 [ HCATALOG-235 ]
          Enis Soztutar made changes -
          Link This issue is blocked by HBASE-5371 [ HBASE-5371 ]
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/
          -----------------------------------------------------------

          Review request for hcatalog.

          Summary
          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.
          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs


          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 9d98f50
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION
          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc
          src/java/org/apache/hcatalog/security/DelegationAuthorizationProvider.java PRE-CREATION
          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION
          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION
          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION
          storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/HBaseAuthorizationProvider.java 456bf14
          storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/HBaseHCatStorageHandler.java c9905ce
          storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/ImportSequenceFile.java 10608be
          storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/ManyMiniCluster.java b495df7
          storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/SkeletonHBaseTest.java 4eb6258
          storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/TestHBaseAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing
          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- Review request for hcatalog. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 9d98f50 src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/security/DelegationAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/HBaseAuthorizationProvider.java 456bf14 storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/HBaseHCatStorageHandler.java c9905ce storage-drivers/hbase/src/java/org/apache/hcatalog/hbase/ImportSequenceFile.java 10608be storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/ManyMiniCluster.java b495df7 storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/SkeletonHBaseTest.java 4eb6258 storage-drivers/hbase/src/test/org/apache/hcatalog/hbase/TestHBaseAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          Ashutosh Chauhan added a comment -
          • We should keep code in SemanticAnalyzer to minimum. So, lets make sure we don't do any more checks there then required.
          • There are already operation specific hooks. So, the ones we keep in SemanticAnalyzer should be moved in specific hooks (like CreateTableHook etc.)
          • Lets tease apart HBase part of the patch into separate patch, so that we can commit this one without waiting for all the HBase issues are resolved.
          • We should also file relevant Hive jiras in parallel to keep track of the shortcomings of AuthProvider interface.
          Show
          Ashutosh Chauhan added a comment - We should keep code in SemanticAnalyzer to minimum. So, lets make sure we don't do any more checks there then required. There are already operation specific hooks. So, the ones we keep in SemanticAnalyzer should be moved in specific hooks (like CreateTableHook etc.) Lets tease apart HBase part of the patch into separate patch, so that we can commit this one without waiting for all the HBase issues are resolved. We should also file relevant Hive jiras in parallel to keep track of the shortcomings of AuthProvider interface.
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/
          -----------------------------------------------------------

          (Updated 2012-02-16 01:49:22.772361)

          Review request for hcatalog.

          Changes
          -------

          Incorporated review suggestions by Ashutosh. Changes are:

          • removed the checks that are already satisfied by Hive's Driver.doAuthorization()
          • moved checks for createTable/createDatabase and addPartition to their respective SemanticAnalyzerHooks.
          • broken the patch into two parts hdfs, and hbase. HBase patch will be uploaded in a sub issue
          • renamed DelegationAuthorizationProvider to better named StorageDelegationAuthorizationProvider.
          • added some more tests.

          Summary
          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.
          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs (updated)


          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION
          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc
          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION
          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION
          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION
          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b
          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION
          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing
          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-16 01:49:22.772361) Review request for hcatalog. Changes ------- Incorporated review suggestions by Ashutosh. Changes are: removed the checks that are already satisfied by Hive's Driver.doAuthorization() moved checks for createTable/createDatabase and addPartition to their respective SemanticAnalyzerHooks. broken the patch into two parts hdfs, and hbase. HBase patch will be uploaded in a sub issue renamed DelegationAuthorizationProvider to better named StorageDelegationAuthorizationProvider. added some more tests. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs (updated) src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          Enis Soztutar added a comment -

          i have created a follow up ticket in Hive https://issues.apache.org/jira/browse/HIVE-2809 to possibly port these changes into Hive. It makes more sense if storage handler authorization providers lived in Hive, since this will allow better Hive/Hcat compatibility regarding hcat security.

          Show
          Enis Soztutar added a comment - i have created a follow up ticket in Hive https://issues.apache.org/jira/browse/HIVE-2809 to possibly port these changes into Hive. It makes more sense if storage handler authorization providers lived in Hive, since this will allow better Hive/Hcat compatibility regarding hcat security.
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/
          -----------------------------------------------------------

          (Updated 2012-02-16 22:49:20.178024)

          Review request for hcatalog.

          Changes
          -------

          Rebased the patch.

          Summary
          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.
          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs (updated)


          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION
          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc
          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION
          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION
          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION
          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b
          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION
          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing
          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-16 22:49:20.178024) Review request for hcatalog. Changes ------- Rebased the patch. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs (updated) src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/#review5175
          -----------------------------------------------------------

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
          <https://reviews.apache.org/r/3846/#comment11340>

          We should probably add a comment in here that checks are not done currently for storage-handler based tables.

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java
          <https://reviews.apache.org/r/3846/#comment11331>

          Looks like this switch statement is no longer of any value now. Can this be removed?

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java
          <https://reviews.apache.org/r/3846/#comment11336>

          This could potentially be an issue when table has lots of partitions in it. This will generate many listStatus call on NN in short time. Not sure if there is a way around that though.

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java
          <https://reviews.apache.org/r/3846/#comment11337>

          This needs a comment because Hcat require different kind of privileges then Hive for alter table. We should document what are our checks and where are they diff from Hive's.

          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java
          <https://reviews.apache.org/r/3846/#comment11349>

          Do we need to put class name of this class as a default value in conf/proto-hive-site.xml for authprovider conf value?

          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken
          <https://reviews.apache.org/r/3846/#comment11341>

          Did you rename this file to disable the tests? You can just add name of this file in src/test/excluded-tests to exclude it, instead of renaming it.

          • Ashutosh

          On 2012-02-16 22:49:20, enis wrote:

          -----------------------------------------------------------

          This is an automatically generated e-mail. To reply, visit:

          https://reviews.apache.org/r/3846/

          -----------------------------------------------------------

          (Updated 2012-02-16 22:49:20)

          Review request for hcatalog.

          Summary

          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.

          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs

          -----

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION

          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc

          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION

          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION

          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION

          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b

          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION

          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing

          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/#review5175 ----------------------------------------------------------- src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java < https://reviews.apache.org/r/3846/#comment11340 > We should probably add a comment in here that checks are not done currently for storage-handler based tables. src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java < https://reviews.apache.org/r/3846/#comment11331 > Looks like this switch statement is no longer of any value now. Can this be removed? src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java < https://reviews.apache.org/r/3846/#comment11336 > This could potentially be an issue when table has lots of partitions in it. This will generate many listStatus call on NN in short time. Not sure if there is a way around that though. src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java < https://reviews.apache.org/r/3846/#comment11337 > This needs a comment because Hcat require different kind of privileges then Hive for alter table. We should document what are our checks and where are they diff from Hive's. src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java < https://reviews.apache.org/r/3846/#comment11349 > Do we need to put class name of this class as a default value in conf/proto-hive-site.xml for authprovider conf value? src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken < https://reviews.apache.org/r/3846/#comment11341 > Did you rename this file to disable the tests? You can just add name of this file in src/test/excluded-tests to exclude it, instead of renaming it. Ashutosh On 2012-02-16 22:49:20, enis wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-16 22:49:20) Review request for hcatalog. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs ----- src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          jiraposter@reviews.apache.org added a comment -

          On 2012-02-17 00:55:58, Ashutosh Chauhan wrote:

          > src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java, line 130

          > <https://reviews.apache.org/r/3846/diff/3/?file=75536#file75536line130>

          >

          > Looks like this switch statement is no longer of any value now. Can this be removed?

          The switch serves as to differentiate what is allowed and what is not. The default: case throws an exception.

          On 2012-02-17 00:55:58, Ashutosh Chauhan wrote:

          > src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java, line 43

          > <https://reviews.apache.org/r/3846/diff/3/?file=75540#file75540line43>

          >

          > Do we need to put class name of this class as a default value in conf/proto-hive-site.xml for authprovider conf value?

          There is two conf values:
          hive.security.authorization.enabled and hive.security.authorization.manager. I think we can default the authorization.manager, but I am not sure about defaulting authorization.enabled. If we also default that, then existing code and unit tests will be affected.

          On 2012-02-17 00:55:58, Ashutosh Chauhan wrote:

          > src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken, line 1

          > <https://reviews.apache.org/r/3846/diff/3/?file=75543#file75543line1>

          >

          > Did you rename this file to disable the tests? You can just add name of this file in src/test/excluded-tests to exclude it, instead of renaming it.

          yes indeed. Did not notice we have src/test/excluded-tests. I'll add to that.

          On 2012-02-17 00:55:58, Ashutosh Chauhan wrote:

          > src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java, lines 263-264

          > <https://reviews.apache.org/r/3846/diff/3/?file=75536#file75536line263>

          >

          > This could potentially be an issue when table has lots of partitions in it. This will generate many listStatus call on NN in short time. Not sure if there is a way around that though.

          I guess, we can relax this check to look for table permissions. Agreed on the possible load generated by huge number of partitions.

          • enis

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/#review5175
          -----------------------------------------------------------

          On 2012-02-16 22:49:20, enis wrote:

          -----------------------------------------------------------

          This is an automatically generated e-mail. To reply, visit:

          https://reviews.apache.org/r/3846/

          -----------------------------------------------------------

          (Updated 2012-02-16 22:49:20)

          Review request for hcatalog.

          Summary

          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.

          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs

          -----

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION

          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc

          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION

          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION

          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION

          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b

          src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION

          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing

          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - On 2012-02-17 00:55:58, Ashutosh Chauhan wrote: > src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java, line 130 > < https://reviews.apache.org/r/3846/diff/3/?file=75536#file75536line130 > > > Looks like this switch statement is no longer of any value now. Can this be removed? The switch serves as to differentiate what is allowed and what is not. The default: case throws an exception. On 2012-02-17 00:55:58, Ashutosh Chauhan wrote: > src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java, line 43 > < https://reviews.apache.org/r/3846/diff/3/?file=75540#file75540line43 > > > Do we need to put class name of this class as a default value in conf/proto-hive-site.xml for authprovider conf value? There is two conf values: hive.security.authorization.enabled and hive.security.authorization.manager. I think we can default the authorization.manager, but I am not sure about defaulting authorization.enabled. If we also default that, then existing code and unit tests will be affected. On 2012-02-17 00:55:58, Ashutosh Chauhan wrote: > src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken, line 1 > < https://reviews.apache.org/r/3846/diff/3/?file=75543#file75543line1 > > > Did you rename this file to disable the tests? You can just add name of this file in src/test/excluded-tests to exclude it, instead of renaming it. yes indeed. Did not notice we have src/test/excluded-tests. I'll add to that. On 2012-02-17 00:55:58, Ashutosh Chauhan wrote: > src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java, lines 263-264 > < https://reviews.apache.org/r/3846/diff/3/?file=75536#file75536line263 > > > This could potentially be an issue when table has lots of partitions in it. This will generate many listStatus call on NN in short time. Not sure if there is a way around that though. I guess, we can relax this check to look for table permissions. Agreed on the possible load generated by huge number of partitions. enis ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/#review5175 ----------------------------------------------------------- On 2012-02-16 22:49:20, enis wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-16 22:49:20) Review request for hcatalog. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs ----- src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java 64bde1b src/test/org/apache/hcatalog/cli/TestEximSemanticAnalysis.java.broken PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/
          -----------------------------------------------------------

          (Updated 2012-02-17 02:28:01.590488)

          Review request for hcatalog.

          Changes
          -------

          Updated the patch with review suggestions.

          Summary
          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.
          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs (updated)


          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION
          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e
          conf/proto-hive-site.xml 4251c2a
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31
          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b
          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION
          src/test/excluded-tests 8b13789
          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION
          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing
          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-17 02:28:01.590488) Review request for hcatalog. Changes ------- Updated the patch with review suggestions. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs (updated) src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e conf/proto-hive-site.xml 4251c2a src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/excluded-tests 8b13789 src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          jiraposter@reviews.apache.org added a comment -

          -----------------------------------------------------------
          This is an automatically generated e-mail. To reply, visit:
          https://reviews.apache.org/r/3846/#review5186
          -----------------------------------------------------------

          Ship it!

          +1 Running tests, will commit if tests pass.

          • Ashutosh

          On 2012-02-17 02:28:01, enis wrote:

          -----------------------------------------------------------

          This is an automatically generated e-mail. To reply, visit:

          https://reviews.apache.org/r/3846/

          -----------------------------------------------------------

          (Updated 2012-02-17 02:28:01)

          Review request for hcatalog.

          Summary

          -------

          As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs.

          This addresses bug HCATALOG-245.

          https://issues.apache.org/jira/browse/HCATALOG-245

          Diffs

          -----

          src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION

          src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e

          conf/proto-hive-site.xml 4251c2a

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31

          src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b

          src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION

          src/test/excluded-tests 8b13789

          src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION

          src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION

          Diff: https://reviews.apache.org/r/3846/diff

          Testing

          -------

          Thanks,

          enis

          Show
          jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/#review5186 ----------------------------------------------------------- Ship it! +1 Running tests, will commit if tests pass. Ashutosh On 2012-02-17 02:28:01, enis wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/3846/ ----------------------------------------------------------- (Updated 2012-02-17 02:28:01) Review request for hcatalog. Summary ------- As per the design in the parent issue, we will delegate the authorization checks to the storage handler (hdfs is considered as a storage handler as well). This jira will introduce HiveAuthorizationProviders for hbase + hdfs. This addresses bug HCATALOG-245 . https://issues.apache.org/jira/browse/HCATALOG-245 Diffs ----- src/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java PRE-CREATION src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java PRE-CREATION src/java/org/apache/hcatalog/common/AuthUtils.java 7cba8dc src/java/org/apache/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzer.java 8387d8e conf/proto-hive-site.xml 4251c2a src/java/org/apache/hcatalog/cli/SemanticAnalysis/AddPartitionHook.java efbb79a src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateDatabaseHook.java 109de31 src/java/org/apache/hcatalog/cli/SemanticAnalysis/CreateTableHook.java 098a06b src/java/org/apache/hcatalog/security/StorageDelegationAuthorizationProvider.java PRE-CREATION src/test/excluded-tests 8b13789 src/test/org/apache/hcatalog/HcatTestUtils.java PRE-CREATION src/test/org/apache/hcatalog/security/TestHdfsAuthorizationProvider.java PRE-CREATION Diff: https://reviews.apache.org/r/3846/diff Testing ------- Thanks, enis
          Hide
          Ashutosh Chauhan added a comment -

          Committed to trunk. Thanks, Enis!

          Show
          Ashutosh Chauhan added a comment - Committed to trunk. Thanks, Enis!
          Ashutosh Chauhan made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 0.4 [ 12319513 ]
          Resolution Fixed [ 1 ]
          Ashutosh Chauhan made changes -
          Component/s security [ 12315602 ]
          Hide
          Alan Gates added a comment -

          Issue closed with 0.4 release.

          Show
          Alan Gates added a comment - Issue closed with 0.4 release.
          Alan Gates made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              Enis Soztutar
              Reporter:
              Enis Soztutar
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development