hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lefty Leverenz (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HIVE-15120) Storage based auth: allow option to enforce write checks for external tables
Date Fri, 08 Dec 2017 00:31:02 GMT

    [ https://issues.apache.org/jira/browse/HIVE-15120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16156688#comment-16156688
] 

Lefty Leverenz edited comment on HIVE-15120 at 12/8/17 12:30 AM:
-----------------------------------------------------------------

In the code, the flag, hive.metastore.authorization.storage.check.externaltable.drop, is true
by default. 
But In comments, it saids "The flag is set to false by default to maintain backward compatibility."
Comments /Doc or the flag default value, should be modified.

Edit 07/Dec/17:  Just a typo fix (flay -> flag) but also a +1 for fixing the parameter
description.


was (Author: yuan_zac):
In the code, the flag, hive.metastore.authorization.storage.check.externaltable.drop, is true
by default. 
But In comments, it saids "The flag is set to false by default to maintain backward compatibility."
Comments /Doc or the flay default value, should be modified.  

> Storage based auth: allow option to enforce write checks for external tables
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-15120
>                 URL: https://issues.apache.org/jira/browse/HIVE-15120
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Thejas M Nair
>            Assignee: Daniel Dai
>              Labels: TODOC1.3, TODOC2.2
>             Fix For: 1.3.0, 2.2.0
>
>         Attachments: HIVE-15120.1.patch, HIVE-15120.2.patch, HIVE-15120.3.patch, HIVE-15120.4.patch
>
>
> Under storage based authorization, we don't require write permissions on table directory
for external table create/drop.
> This is because external table contents are populated often from outside of hive and
are not written into from hive. So write access is not needed. Also, we can't require write
permissions to drop a table if we don't require them for creation (users who created them
should be able to drop them).
> However, this difference in behavior of external tables is not well documented. So users
get surprised to learn that drop table can be done by just any user who has read access to
the directory. At that point changing the large number of scripts that use external tables
is hard. 
> It would be good to have a user config option to have external tables to be treated same
as managed tables.
> The option should be off by default, so that the behavior is backward compatible by default.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message