// The interface used by the DDLTasks for access control statement, and for authorize call from Driver.doAuthorization() inteface HiveAuthorizer { grantPrivileges(..) revokePrivileges(..) grantRole(..) revokeRole(..) showAllRoles(..) showRolesForUser(..) // other access control functions validateAuthority(HiveAction, inputs, outputs) } class HiveAuthorizerImpl implements HiveAuthorizer { HiveAccessController accessController; HiveAuthValidator authValidator; HiveAuthorizerImpl(HiveAccessController accessController, HiveAuthValidator authValidator){ this.accessController = accessController; this.authValidator = authValidator; } void grantPrivileges(){ HiveAccessController.grantPrivileges(); } // other access control functions void validateAuthority(HiveAction, inputs, outputs){ authValidator.validateAuthority(HiveAction, inputs, outputs); } } interface HiveAccessController{ grantPrivileges(); revokePrivileges(); grantRole() revokeRole() showAllRoles() // other access control functions } interface HiveAuthValidator(){ validateAuthority(); } interface HiveAuthorizerFactory{ HiveAuthorizer createHiveAuthorizer(Hive db, HiveConf conf); } //default factory creates the default implementation that provides SQL standard based access control DefaultHiveAuthorizerFactory { HiveAuthorizer createHiveAuthorizer(Hive db, HiveConf conf){ return new HiveAuthorizerImpl(new DefaultHiveAccessController(db, conf), new Default HiveAuthValidator(db, conf)); } } ============================= In HiveConf.java, HIVE_METASTORE_AUTHORIZATION_MANAGER would be set to DefaultHiveAuthorizerFactory for SQL standard authorization. Based on the interface the class referenced by HIVE_METASTORE_AUTHORIZATION_MANAGER implements, we can decide if the code path for new or old interface code path should be used.