Mailing-List: contact commits-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hive-dev@hive.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: thejas@apache.org
To: commits@hive.apache.org
Message-Id: <087e415d66be496da30646aec00fba34@git.apache.org>
Subject: hive git commit: HIVE-17701 : Added restriction to historic queries
 on web UI (Tao Li via Thejas Nair)
Date: Mon,  9 Oct 2017 05:32:50 +0000 (UTC)
archived-at: Mon, 09 Oct 2017 05:32:53 -0000

Repository: hive
Updated Branches:
  refs/heads/master e46e473ef -> c681726d7


HIVE-17701 : Added restriction to historic queries on web UI (Tao Li via Thejas Nair)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/c681726d
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/c681726d
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/c681726d

Branch: refs/heads/master
Commit: c681726d7961d6f36299a8127b8b7874d54ede9a
Parents: e46e473
Author: Tao LI <tli@hortonworks.com>
Authored: Sun Oct 8 17:03:43 2017 -0700
Committer: Thejas M Nair <thejas@hortonworks.com>
Committed: Sun Oct 8 22:32:47 2017 -0700

----------------------------------------------------------------------
 .../java/org/apache/hive/http/HttpServer.java   | 34 ++++++++++++++++----
 .../hive-webapps/hiveserver2/hiveserver2.jsp    | 16 ++++++++-
 2 files changed, 42 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/c681726d/common/src/java/org/apache/hive/http/HttpServer.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hive/http/HttpServer.java b/common/src/java/org/apache/hive/http/HttpServer.java
index 0624a7e..99af2be 100644
--- a/common/src/java/org/apache/hive/http/HttpServer.java
+++ b/common/src/java/org/apache/hive/http/HttpServer.java
@@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import com.google.common.base.Preconditions;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.math3.util.Pair;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
@@ -250,12 +251,28 @@ public class HttpServer {
   }
 
   /**
+   * Check if the remote user has access to an object (e.g. query history) that belongs to a user
+   *
+   * @param ctx the context containing the admin ACL.
+   * @param request the HTTP request.
+   * @param remoteUser the user that sent out the request.
+   * @param user the user of the object being checked against.
+   * @return true if the remote user is the same as the user or has the admin access
+   * @throws IOException
+   */
+  public static boolean hasAccess(String remoteUser, String user,
+      ServletContext ctx, HttpServletRequest request) throws IOException {
+    return StringUtils.equalsIgnoreCase(remoteUser, user) ||
+        HttpServer.hasAdministratorAccess(ctx, request, null);
+  }
+
+  /**
    * Does the user sending the HttpServletRequest have the administrator ACLs? If
    * it isn't the case, response will be modified to send an error to the user.
    *
    * @param servletContext
    * @param request
-   * @param response used to send the error response if user does not have admin access.
+   * @param response used to send the error response if user does not have admin access (no error if null)
    * @return true if admin-authorized, false otherwise
    * @throws IOException
    */
@@ -269,19 +286,22 @@ public class HttpServer {
         CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
       return true;
     }
-
     String remoteUser = request.getRemoteUser();
     if (remoteUser == null) {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-                         "Unauthenticated users are not " +
-                         "authorized to access this page.");
+      if (response != null) {
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+                           "Unauthenticated users are not " +
+                           "authorized to access this page.");
+      }
       return false;
     }
 
     if (servletContext.getAttribute(ADMINS_ACL) != null &&
         !userHasAdministratorAccess(servletContext, remoteUser)) {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
-          + remoteUser + " is unauthorized to access this page.");
+      if (response != null) {
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
+            + remoteUser + " is unauthorized to access this page.");
+      }
       return false;
     }
 

http://git-wip-us.apache.org/repos/asf/hive/blob/c681726d/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
----------------------------------------------------------------------
diff --git a/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp b/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
index c0ece6d..5d82029 100644
--- a/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
+++ b/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
@@ -22,6 +22,7 @@
   import="org.apache.hadoop.hive.conf.HiveConf"
   import="org.apache.hadoop.hive.conf.HiveConf.ConfVars"
   import="org.apache.hive.common.util.HiveVersionInfo"
+  import="org.apache.hive.http.HttpServer"
   import="org.apache.hive.service.cli.operation.Operation"
   import="org.apache.hive.service.cli.operation.SQLOperation"
   import="org.apache.hadoop.hive.ql.QueryInfo"
@@ -40,6 +41,7 @@ Configuration conf = (Configuration)ctx.getAttribute("hive.conf");
 long startcode = conf.getLong("startcode", System.currentTimeMillis());
 SessionManager sessionManager =
   (SessionManager)ctx.getAttribute("hive.sm");
+String remoteUser = request.getRemoteUser();
 %>
 
 <!--[if IE]>
@@ -108,7 +110,13 @@ if (sessionManager != null) {
     </tr>
 <%
 Collection<HiveSession> hiveSessions = sessionManager.getSessions();
+int sessionCount = 0;
 for (HiveSession hiveSession: hiveSessions) {
+    // Permission check
+    if (!HttpServer.hasAccess(remoteUser, hiveSession.getUserName(), ctx, request)) {
+        continue;
+    }
+    sessionCount++;
 %>
     <tr>
         <td><%= hiveSession.getUserName() %></td>
@@ -121,7 +129,7 @@ for (HiveSession hiveSession: hiveSessions) {
 }
 %>
 <tr>
-  <td colspan="5">Total number of sessions: <%= hiveSessions.size() %></td>
+  <td colspan="5">Total number of sessions: <%= sessionCount %></td>
 </tr>
 </table>
 </section>
@@ -143,6 +151,9 @@ for (HiveSession hiveSession: hiveSessions) {
       int queries = 0;
       Collection<QueryInfo> operations = sessionManager.getOperationManager().getLiveQueryInfos();
       for (QueryInfo operation : operations) {
+          if (!HttpServer.hasAccess(remoteUser, operation.getUserName(), ctx, request)) {
+              continue;
+          }
           queries++;
     %>
     <tr>
@@ -184,6 +195,9 @@ for (HiveSession hiveSession: hiveSessions) {
       queries = 0;
       operations = sessionManager.getOperationManager().getHistoricalQueryInfos();
       for (QueryInfo operation : operations) {
+          if (!HttpServer.hasAccess(remoteUser, operation.getUserName(), ctx, request)) {
+              continue;
+          }
           queries++;
     %>
     <tr>