Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-7209

allow metastore authorization api calls to be restricted to certain invokers

Log workAgile BoardRank to TopRank to BottomBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.14.0
    • Authentication, Metastore
    • None
    • Hide
      With this change hive.security.metastore.authorization.manager configuration parameter allows you to specify more than one authorization manager class (comma separated).

      This patch introduces a new authorization manager for use under this configuration - org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly. It will disallow any of the authorization api calls to be invoked in a remote metastore.
      HiveServer2 can be configured to use embedded metastore, and that will allow it to invoke metastore authorization api. Hive cli and any other remote metastore users would be denied authorization when they try to make authorization api calls. This allows restricting the authorization api use to privileged HiveServer2 process.

      Show
      With this change hive.security.metastore.authorization.manager configuration parameter allows you to specify more than one authorization manager class (comma separated). This patch introduces a new authorization manager for use under this configuration - org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly. It will disallow any of the authorization api calls to be invoked in a remote metastore. HiveServer2 can be configured to use embedded metastore, and that will allow it to invoke metastore authorization api. Hive cli and any other remote metastore users would be denied authorization when they try to make authorization api calls. This allows restricting the authorization api use to privileged HiveServer2 process.

    Description

      Any user who has direct access to metastore can make metastore api calls that modify the authorization policy.
      The users who can make direct metastore api calls in a secure cluster configuration are usually the 'cluster insiders' such as Pig and MR users, who are not (securely) covered by the metastore based authorization policy. But it makes sense to disallow access from such users as well.

      Attachments

        1. HIVE-7209.1.patch
          56 kB
          Thejas Nair
        2. HIVE-7209.2.patch
          59 kB
          Thejas Nair
        3. HIVE-7209.3.patch
          59 kB
          Thejas Nair
        4. HIVE-7209.4.patch
          60 kB
          Thejas Nair

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            thejas Thejas Nair Assign to me
            thejas Thejas Nair
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment