Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-1988

Make the delegation token issued by the MetaStore owned by the right user

    XMLWordPrintableJSON

    Details

    • Hadoop Flags:
      Reviewed

      Description

      The 'owner' of any delegation token issued by the MetaStore is set to the requesting user. When a delegation token is asked by the user himself during a job submission, this is fine. However, in the case where the token is requested for by services (e.g., Oozie), on behalf of the user, the token's owner is set to the user the service is running as. Later on, when the token is used by a MapReduce task, the MetaStore treats the incoming request as coming from Oozie and does operations as Oozie. This means any new directory creations (e.g., create_table) on the hdfs by the MetaStore will end up with Oozie as the owner.

      Also, the MetaStore doesn't check whether a user asking for a token on behalf of some other user, is actually authorized to act on behalf of that other user. We should start using the ProxyUser authorization in the MetaStore (HADOOP-6510's APIs).

        Attachments

        1. hive-1988.patch
          138 kB
          Ashutosh Chauhan
        2. hive-1988-3.patch
          133 kB
          Devaraj Das
        3. hive-1988-5.1.patch
          137 kB
          Devaraj Das

          Activity

            People

            • Assignee:
              ddas Devaraj Das
              Reporter:
              ddas Devaraj Das
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: