Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-5837

SQL standard based secure authorization for hive

    Details

      Description

      The current default authorization is incomplete and not secure. The alternative of storage based authorization provides security but does not provide fine grained authorization.

      The proposal is to support secure fine grained authorization in hive using SQL standard based authorization model.

        Attachments

          Issue Links

          1.
          SQL std auth - parser changes Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 96h Original Estimate - 96h
          Time Spent - 168h
          2.
          Add a hive authorization plugin api that does not assume privileges needed Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 120h
          Time Spent - 6h Time Not Required
          3.
          SQL std auth - Access control statement updates Sub-task Resolved Thejas M Nair

          16%

          Original Estimate - 48h
          Time Spent - 1.6h Remaining Estimate - 8h Time Not Required
          4.
          SQL std auth - implement set roles, show current roles Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 36h
          Remaining Estimate - 36h
          5.
          SQL std auth - add metastore get_principals_in_role api, support SHOW PRINCIPALS role_name Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          6.
          SQL std auth - add list_all_roles to metastore api Sub-task Resolved Unassigned

          100%

          Original Estimate - 24h
          Time Spent - 1h Time Not Required
          7.
          SQL std auth - get_privilege_set should check role hierarchy Sub-task Resolved Unassigned

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          8.
          SQL std auth - add support to metastore api to list all privileges for a user Sub-task Resolved Unassigned

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          9.
          SQL std auth - support,authorize new 'show grant..' statements Sub-task Resolved Unassigned

          0%

          Original Estimate - 36h
          Remaining Estimate - 36h
          10.
          SQL std auth - support 'show roles' Sub-task Resolved Navis

          100%

          Original Estimate - 24h
          Time Spent - 24h
          11.
          SQL std auth - support DESCRIBE ROLE Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          12.
          SQL std auth - authorize DESCRIBE ROLE role Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 12h
          Remaining Estimate - 12h
          13.
          SQL std auth - authorize show all roles, create role, drop role Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          14.
          SQL std auth - authorize grant/revoke roles Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 48h
          Remaining Estimate - 48h
          15.
          SQL std auth - authorize grant/revoke on table Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 120h Original Estimate - 120h
          Time Spent - 144h
          16.
          SQL std auth - metastore api support for get_privilege_set api that checks specific role Sub-task Resolved Unassigned

          100%

          Original Estimate - 48h
          Time Spent - 24h Time Not Required
          17.
          SQL std auth - authorize statements that work with paths Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 72h
          Remaining Estimate - 72h
          18.
          SQL std auth - bootstrap SUPERUSER roles Sub-task Resolved Ashutosh Chauhan

          100%

          Original Estimate - 72h
          Time Spent - 24h Time Not Required
          19.
          SQL std auth - special handling of PUBLIC role Sub-task Resolved Ashutosh Chauhan

          100%

          Original Estimate - 24h
          Time Spent - 24h
          20.
          SQL std auth - authorize create database Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 48h
          Remaining Estimate - 48h
          21.
          sql standard auth should disable commands that impose security risk Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 72h
          Remaining Estimate - 72h
          22.
          SQL std auth - support granted-by in grant statements Sub-task Resolved Unassigned

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          23.
          SQL std auth - support new privileges INSERT, DELETE Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 12h
          Time Spent - 9h Time Not Required
          24.
          SQL std auth - make role/user optional in grant/revoke statements Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          25.
          support grant/revoke on views - parser changes Sub-task Resolved Ashutosh Chauhan

          100%

          Original Estimate - 24h
          Time Spent - 24h
          26.
          sql std auth - authorize 'show roles' Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 12h
          Remaining Estimate - 12h
          27.
          sql std auth - view authorization should not underlying table. More tests and fixes. Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          28.
          sql std auth - support 'with admin option' in revoke role metastore api Sub-task Closed Jason Dere

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          29.
          sql std auth - revoke role should support sql standard syntax for admin option Sub-task Resolved Unassigned

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          30.
          sql standard auth - use admin option specified in grant/revoke role statement Sub-task Resolved Ashutosh Chauhan

          0%

          Original Estimate - 12h
          Remaining Estimate - 12h
          31.
          sql std auth - disallow cycles between roles Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 24h
          Time Spent - 24h
          32.
          sql std auth - pass username from sessionstate to v2 authorization interface Sub-task Resolved Thejas M Nair

          100%

          Original Estimate - 24h
          Time Spent - 24h
          33.
          sql std auth - document configuration necessary for security Sub-task Resolved Thejas M Nair

          0%

          Original Estimate - 12h
          Remaining Estimate - 12h
          34.
          sql std auth - revoke privileges api in metastore should check grantor user Sub-task Resolved Unassigned

          0%

          Original Estimate - 24h
          Remaining Estimate - 24h
          35.
          sql std auth - database should have an owner Sub-task Resolved Ashutosh Chauhan  
          36.
          Test authorization_revoke_table_priv.q is failing on trunk Sub-task Resolved Thejas M Nair  
          37.
          Disallow transform clause in sql std authorization mode Sub-task Resolved Ashutosh Chauhan  
          38.
          sql std auth - new users in admin role config should get added Sub-task Resolved Ashutosh Chauhan  
          39.
          SQL std auth - revert change for view keyword in grant statement Sub-task Resolved Thejas M Nair  
          40.
          SQL std auth - allow grant/revoke roles if user has ADMIN OPTION Sub-task Resolved Ashutosh Chauhan  
          41.
          Restrict function create/drop to admin roles Sub-task Resolved Jason Dere  
          42.
          sql std auth - add command to change owner of database Sub-task Resolved Thejas M Nair  
          43.
          SQL std auth - only db owner should be allowed to create table within a db Sub-task Resolved Ashutosh Chauhan  
          44.
          SQL std auth - pass username from hiveserver2 to sessionstate Sub-task Resolved Thejas M Nair  
          45.
          "show grant ... on all" fails with NPE Sub-task Resolved Thejas M Nair  
          46.
          sql std auth - show grant statement for all principals throws NPE Sub-task Resolved Thejas M Nair  
          47.
          Revoke privilege should support revoking of grant option Sub-task Closed Jason Dere  

            Activity

              People

              • Assignee:
                thejas Thejas M Nair
                Reporter:
                thejas Thejas M Nair
              • Votes:
                0 Vote for this issue
                Watchers:
                27 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1,284h
                  1,284h
                  Remaining:
                  Time Spent - 497.6h Remaining Estimate - 632h
                  632h
                  Logged:
                  Time Spent - 497.6h Remaining Estimate - 632h Time Not Required
                  497.6h