ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gaurav Nagar" <gna...@hortonworks.com>
Subject Re: Review Request 41739: Hive views does not honour auth_to_local rules when running queries
Date Tue, 12 Jan 2016 04:28:55 GMT


> On Jan. 11, 2016, 7:19 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java,
line 233
> > <https://reviews.apache.org/r/41739/diff/2/?file=1177237#file1177237line233>
> >
> >     This seems to be problematic.  I think in the simple case, the default realm
will work... since there will only be a single realm involved.  However in more complex cases,
there may be multiple realms involved... say where Ambari uses an MIT KDC for managed (service)
identities and an Active Directory for unmanaged (user) identities.  In this case, I suspect
that the default realm will be the realm managed by the MIT KDC.  
> >     
> >     Given the use-case that generated the issue that lead to this patch, I assume
that the relevant realm would be the realm managed by the Active Directory, not the MIT KDC.

> >     
> >     Maybe you need more details on the logged in user to make the determination
of what their realm is.  Else, maybe you need to get the list of relevant realms and try each
- hoping there isn't a collision.

If the user realm is different from that of ambari then it will not work.
When we talked to selva about the fix, he suggested to take the default realm as first step.
He also suggested to add realm field to user, get it populated from ldap and use it to get
full username.


- Gaurav


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41739/#review113819
-----------------------------------------------------------


On Dec. 29, 2015, 9:28 a.m., Gaurav Nagar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41739/
> -----------------------------------------------------------
> 
> (Updated Dec. 29, 2015, 9:28 a.m.)
> 
> 
> Review request for Ambari, DIPAYAN BHOWMICK, Srimanth Gunturi, Sid Wagle, and Yusaku
Sako.
> 
> 
> Bugs: AMBARI-14503
>     https://issues.apache.org/jira/browse/AMBARI-14503
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Changed getUsername call to return name with auth_to_local conversion in ViewContextImpl.
> Added getLoggedinUser to return loggedin ambari user.
> 
> 
> Diffs
> -----
> 
>   ambari-server/pom.xml b5a9d49 
>   ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java a22c514

>   ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java c0cae80 
>   contrib/views/files/src/main/resources/view.xml 58a7682 
>   contrib/views/hive/src/main/resources/view.xml e04ed4b 
>   contrib/views/pig/src/main/resources/view.xml 30efae8 
>   contrib/views/tez/src/main/resources/view.xml d1ad5ad 
> 
> Diff: https://reviews.apache.org/r/41739/diff/
> 
> 
> Testing
> -------
> 
> Manual Testing.
> 
> 
> Thanks,
> 
> Gaurav Nagar
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message