hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Seth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-13391) add an option to LLAP to use keytab to authenticate to read data
Date Sat, 02 Apr 2016 20:13:25 GMT

    [ https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15223029#comment-15223029
] 

Siddharth Seth commented on HIVE-13391:
---------------------------------------

bq. I actually want to minimize the scope of login from keytab to only the necessary points.
Also current user is set only in doAs, do you want to run all of init in doAs
Don't really see a problem in doing this. This ofcourse relies on external access being secured
properly.

bq. I actually want to minimize the scope of login from keytab to only the necessary points.
Also current user is set only in doAs, do you want to run all of init in doAs
It definitely breaks storage based auth. Data will only be accessible if the hive user has
read access.

bq. As for FS, I see. It doesn't use UGI as key, it just iterates thru all the FSes.
FileSystem.get() - eventually looks up a cache, which uses ugi as part of the key (the 'Key'
class in FileSystem). Both hashCode and equals compare the ugi. The subject is compared as
object equivalence. (return subject == ((UserGroupInformation) o).subject;)

> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
>                 Key: HIVE-13391
>                 URL: https://issues.apache.org/jira/browse/HIVE-13391
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't propagate HDFS
tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message