Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
hive_plugin_v2
-
None
Description
Currently Sentry grant/revoke privileges via hook DDLTask, and do authorization via HiveSemanticAnalyzerHook. Now hive has a pluggable authorization framework via exposing some interfaces HiveAccessController and HiveAuthorizationValidator. HiveAccessController is used to grant/revoke roles and privileges. HiveAuthorizationValidator is used to do fine-grained authorization.
Advantages to use this framework to grant/revoke privileges and do authorization:
- This framework is very convenient to use by external authorization system.
- Using this framework will be better accepted by community.
- We don't need to take efforts to add so many hooks.
- Some hooks has limitations. e.g. For column level security, we can't get accessed cloumns from query via HiveSemanticAnalyzerHook, so I extend the readEntity to put accessed columns into it(
HIVE-7730). But if we use this framework, we don't need to extend the readEntity, we can just get accessed columns from ColumnAccessInfo directly.
I will not remove the old sentry authorization framework, I will just add a new authorizationV2 via implement Hive authorization framework. If all the e2e tests passed, we can mark the old authorization deprecated.
Attachments
Attachments
Issue Links
- contains
-
SENTRY-924 filterIndexNames should return the whole indexList
- Resolved
- depends upon
-
HIVE-8611 grant/revoke syntax should support additional objects for authorization plugins
- Resolved
-
HIVE-8612 Support metadata result filter hooks
- Resolved
- is blocked by
-
SENTRY-541 Seperate udfuri privilege from anyPrivilege model
- Resolved
-
SENTRY-563 The interface listPrivilegesByRoleName may throw thrift exception if Authorizable is empty
- Resolved
-
SENTRY-591 create table should have output privilege in DB scope
- Resolved
-
SENTRY-594 Alter database should check output privilege instead of input
- Resolved
- links to