ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anita Gnanamalar Jebaraj (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-20760) After pam setup- Hive View user home test fails
Date Thu, 13 Apr 2017 18:00:45 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-20760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Anita Gnanamalar Jebaraj updated AMBARI-20760:
----------------------------------------------
    Description: 
After setting up PAM, tried to login as PAM user and access hive view, user home test fails
with the error as in screen shot.

This issue was pointed out by [~hkropp] in the jira AMBARI-12263, but was not incorporated
in the code. Pasting the comment from Henning below.

Something we noticed is that in a secured cluster we have issues with the views, getting the
following exception for the Hive view as an example:

Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed
to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32,

.....
sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari for
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119),
serverProtocolVersion:null)

As you can see it tries to impersonte "org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32".
Changing the UsernamePasswordAuthenticationToken from Principal to username fixes this.

So instead of :

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal,
null, userAuthorities);

We use:

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserName(),
null, userAuthorities);

What could potential also work is, overriding toString of the principal like:

Principal principal = new Principal() {
                    @Override
                    public String getName() {
                        return user.getUserName();
                    }

                    @Override
                    public String toString(){
                        return user.getUserName().toString();
                    }
                };

We did not test this!

As a little side note, I notices you are using String concatenation in your error logging
like this: LOG.error("Message"+ ex.getMessage()) I think the public void error(String msg,
Throwable t); interface would be preferable in such scenarios, so: LOG.error("Message", ex)



> After pam setup- Hive View user home test fails
> -----------------------------------------------
>
>                 Key: AMBARI-20760
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20760
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Anita Gnanamalar Jebaraj
>            Assignee: Anita Gnanamalar Jebaraj
>         Attachments: error.PNG
>
>
> After setting up PAM, tried to login as PAM user and access hive view, user home test
fails with the error as in screen shot.
> This issue was pointed out by [~hkropp] in the jira AMBARI-12263, but was not incorporated
in the code. Pasting the comment from Henning below.
> Something we noticed is that in a secured cluster we have issues with the views, getting
the following exception for the Hive view as an example:
> Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed
to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32,

> .....
> sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari
for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119),
serverProtocolVersion:null)
> As you can see it tries to impersonte "org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32".
Changing the UsernamePasswordAuthenticationToken from Principal to username fixes this.
> So instead of :
> UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal,
null, userAuthorities);
> We use:
> UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserName(),
null, userAuthorities);
> What could potential also work is, overriding toString of the principal like:
> Principal principal = new Principal() {
>                     @Override
>                     public String getName() {
>                         return user.getUserName();
>                     }
>                     @Override
>                     public String toString(){
>                         return user.getUserName().toString();
>                     }
>                 };
> We did not test this!
> As a little side note, I notices you are using String concatenation in your error logging
like this: LOG.error("Message"+ ex.getMessage()) I think the public void error(String msg,
Throwable t); interface would be preferable in such scenarios, so: LOG.error("Message", ex)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message