Return-Path: 
 <commits-return-7371-apmail-ambari-commits-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-commits-archive@www.apache.org
Delivered-To: apmail-ambari-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3CE661153A
	for <apmail-ambari-commits-archive@www.apache.org>;
 Sun,  6 Apr 2014 21:19:01 +0000 (UTC)
Received: (qmail 72448 invoked by uid 500); 6 Apr 2014 21:19:00 -0000
Delivered-To: apmail-ambari-commits-archive@ambari.apache.org
Received: (qmail 72423 invoked by uid 500); 6 Apr 2014 21:19:00 -0000
Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ambari.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ambari.apache.org>
List-Post: <mailto:commits@ambari.apache.org>
List-Id: <commits.ambari.apache.org>
Reply-To: ambari-dev@ambari.apache.org
Delivered-To: mailing list commits@ambari.apache.org
Received: (qmail 72416 invoked by uid 99); 6 Apr 2014 21:19:00 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Apr 2014 21:19:00 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 2B0A594BD45; Sun,  6 Apr 2014 21:19:00 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: dsen@apache.org
To: commits@ambari.apache.org
Message-Id: <e7cc4f363fd44ff78d854b5d2c3f7537@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: git commit: AMBARI-5289 HiveServer2 default security configuration
 changes (dsen)
Date: Sun,  6 Apr 2014 21:19:00 +0000 (UTC)

Repository: ambari
Updated Branches:
  refs/heads/branch-1.5.1 cf0e428c7 -> 9ef81c618


AMBARI-5289 HiveServer2 default security configuration changes (dsen)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9ef81c61
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9ef81c61
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9ef81c61

Branch: refs/heads/branch-1.5.1
Commit: 9ef81c61887633ec41f96f9bd094b99915930251
Parents: cf0e428
Author: Dmitry Sen <dsen@hortonworks.com>
Authored: Mon Apr 7 00:11:24 2014 +0300
Committer: Dmitry Sen <dsen@hortonworks.com>
Committed: Mon Apr 7 00:11:24 2014 +0300

----------------------------------------------------------------------
 .../HIVE/package/files/startHiveserver2.sh      | 22 ---------------
 .../2.0.6/services/HIVE/package/scripts/hive.py |  2 +-
 .../services/HIVE/package/scripts/params.py     |  5 +++-
 .../package/templates/startHiveserver2.sh.j2    | 29 ++++++++++++++++++++
 .../services/HIVE/configuration/hive-site.xml   |  9 ++++--
 .../stacks/2.0.6/HIVE/test_hive_server.py       |  4 +--
 6 files changed, 43 insertions(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh
deleted file mode 100644
index fa90c2f..0000000
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
-HIVE_CONF_DIR=$4 /usr/lib/hive/bin/hiveserver2 -hiveconf hive.metastore.uris=' ' > $1 2> $2 &
-echo $!|cat>$3

http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py
index 0990530..5430efd 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py
@@ -81,7 +81,7 @@ def hive(name=None):
   elif name == 'hiveserver2':
     File(params.start_hiveserver2_path,
          mode=0755,
-         content=StaticFile('startHiveserver2.sh')
+         content=Template(format('{start_hiveserver2_script}'))
     )
 
   if name != "client":

http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py
index 520343b..f5c3ced 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py
@@ -75,7 +75,7 @@ hive_pid = status_params.hive_pid
 hive_database_name = config['configurations']['global']['hive_database_name']
 
 #Starting hiveserver2
-start_hiveserver2_script = 'startHiveserver2.sh'
+start_hiveserver2_script = 'startHiveserver2.sh.j2'
 
 hadoop_home = '/usr'
 
@@ -170,6 +170,9 @@ tez_local_api_jars = '/usr/lib/tez/tez*.jar'
 tez_local_lib_jars = '/usr/lib/tez/lib/*.jar'
 tez_user = config['configurations']['global']['tez_user']
 
+# Hive security
+hive_authorization_enabled = config['configurations']['hive-site']['hive.security.authorization.enabled']
+
 import functools
 #create partial functions with common arguments for every HdfsDirectory call
 #to create hdfs directory we need to call params.HdfsDirectory in code

http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2
new file mode 100644
index 0000000..5d0fbc7
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2
@@ -0,0 +1,29 @@
+#
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+
+HIVE_SERVER2_OPTS=" -hiveconf hive.metastore.uris=\" \" "
+{% if hive_authorization_enabled == True and str(hdp_stack_version).startswith('2.1') %}
+# HiveServer 2 -hiveconf options
+HIVE_SERVER2_OPTS="${HIVE_SERVER2_OPTS} -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory "
+{% endif %}
+
+HIVE_CONF_DIR=$4 /usr/lib/hive/bin/hiveserver2 ${HIVE_SERVER2_OPTS} > $1 2> $2 &
+echo $!|cat>$3

http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml
index e28a4f2..e1149dd 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml
@@ -108,7 +108,7 @@ limitations under the License.
 
   <property>
     <name>hive.security.authorization.enabled</name>
-    <value>false</value>
+    <value>true</value>
     <description>enable or disable the hive client authorization</description>
   </property>
 
@@ -133,7 +133,7 @@ limitations under the License.
 
   <property>
     <name>hive.server2.enable.doAs</name>
-    <value>true</value>
+    <value>false</value>
     <description>Impersonate the connected user. By default HiveServer2 performs the query processing as the user who
       submitted the query. But if the parameter is set to false, the query will run as the user that the hiveserver2
       process runs as.
@@ -471,5 +471,10 @@ limitations under the License.
     <description>Number of aborted transactions involving a particular table or partition before major compaction is initiated.</description>
   </property>
 
+  <property>
+    <name>hive.users.in.admin.role</name>
+    <value></value>
+    <description>If user is specified as value of this config, that user has superuser privileges in DB</description>
+  </property>
 
 </configuration>

http://git-wip-us.apache.org/repos/asf/ambari/blob/9ef81c61/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
index 503418b..4336dc9 100644
--- a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
+++ b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py
@@ -259,7 +259,7 @@ class TestHiveServer(RMFTestCase):
       not_if = '[ -f DBConnectionVerification.jar]',
     )
     self.assertResourceCalled('File', '/tmp/start_hiveserver2_script',
-      content = StaticFile('startHiveserver2.sh'),
+      content = Template('startHiveserver2.sh.j2'),
       mode = 0755,
     )
     self.assertResourceCalled('Directory', '/var/run/hive',
@@ -352,7 +352,7 @@ class TestHiveServer(RMFTestCase):
       not_if = '[ -f DBConnectionVerification.jar]',
     )
     self.assertResourceCalled('File', '/tmp/start_hiveserver2_script',
-      content = StaticFile('startHiveserver2.sh'),
+      content = Template('startHiveserver2.sh.j2'),
       mode = 0755,
     )
     self.assertResourceCalled('Directory', '/var/run/hive',