sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dapeng Sun (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-535) Optimize to reduce the call number of permsUpdate
Date Thu, 20 Nov 2014 03:52:34 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218959#comment-14218959
] 

Dapeng Sun commented on SENTRY-535:
-----------------------------------

Hi Lenni, thank you for your comments.
Yes, it seems if a user don't have permission to access the files of the table, he may can't
access any column of the table. 
This is a problem that malicious user may bypass HIVE and SENTRY, use HDFS client access the
files directly. I don't think we can solved it in SENTRY side. Maybe there are two ways to
solve the problem
One is disable the feature "queries run as the end user", it may not be very suitable for
SENTRY-432 (Synchronization of HDFS permissions with Sentry permissions).
{noformat}
<property>
   <name>hive.server2.enable.doAs</name>
   <value>false</value>
</property>
{noformat}
Another is column level encryption:HIVE-6329,HIVE-7934, these features will help to do the
column-level restriction.

> Optimize to reduce the call number of permsUpdate 
> --------------------------------------------------
>
>                 Key: SENTRY-535
>                 URL: https://issues.apache.org/jira/browse/SENTRY-535
>             Project: Sentry
>          Issue Type: Improvement
>            Reporter: Dapeng Sun
>            Priority: Minor
>
> As the discussion in SENTRY-529, The {{SentryHDFSPlugin}} should not really care about
the column privileges. it should pick only the table level privileges and send it to the permsUpdate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message