hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vaibhav Gumashta (JIRA)" <>
Subject [jira] [Commented] (HIVE-6837) HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client
Date Mon, 07 Apr 2014 19:07:16 GMT


Vaibhav Gumashta commented on HIVE-6837:

[~thejas] Thanks for taking a look.

Sure, I'll do that. There's another issue that I noticed caused in SessionManager#openSession
as a result of this:
public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
      Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
          throws HiveSQLException {
    HiveSession session;
    if (withImpersonation) {
      HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username,
        hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
      session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
    } else {
      session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
    handleToSession.put(session.getSessionHandle(), session);

    try {
    } catch (Exception e) {
      throw new HiveSQLException("Failed to execute session hooks", e);
    return session.getSessionHandle();

Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress()
to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).

Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the
HiveServer2 process) which doesn't make sense to me:

> HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null
for client
> ----------------------------------------------------------------------------------------------
>                 Key: HIVE-6837
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 0.13.0
>            Reporter: Dilli Arumugam
>            Assignee: Vaibhav Gumashta
>             Fix For: 0.13.0
>         Attachments: HIVE-6837.1.patch, HIVE-6837.2.patch, HIVE-6837.3.patch, hive.log
> Hive Server running thrift/http with Kerberos security.
> Kinited user knox attempting to proxy as sam.
> Beeline connection failed reporting error on hive server logs:
> Caused by: Unauthorized
connection for super-user: knox from IP null

This message was sent by Atlassian JIRA

View raw message