hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vaibhav Gumashta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-6837) HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client
Date Mon, 07 Apr 2014 19:07:16 GMT

    [ https://issues.apache.org/jira/browse/HIVE-6837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13962151#comment-13962151
] 

Vaibhav Gumashta commented on HIVE-6837:
----------------------------------------

[~thejas] Thanks for taking a look.

Sure, I'll do that. There's another issue that I noticed caused in SessionManager#openSession
as a result of this:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
      Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
          throws HiveSQLException {
    HiveSession session;
    if (withImpersonation) {
      HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username,
password,
        hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
      session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
      hiveSessionUgi.setProxySession(session);
    } else {
      session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
          TSetIpAddressProcessor.getUserIpAddress());
    }
    session.setSessionManager(this);
    session.setOperationManager(operationManager);
    session.open();
    handleToSession.put(session.getSessionHandle(), session);

    try {
      executeSessionHooks(session);
    } catch (Exception e) {
      throw new HiveSQLException("Failed to execute session hooks", e);
    }
    return session.getSessionHandle();
  }
{code}

Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress()
to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).

Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the
HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.


> HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null
for client
> ----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-6837
>                 URL: https://issues.apache.org/jira/browse/HIVE-6837
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 0.13.0
>            Reporter: Dilli Arumugam
>            Assignee: Vaibhav Gumashta
>             Fix For: 0.13.0
>
>         Attachments: HIVE-6837.1.patch, HIVE-6837.2.patch, HIVE-6837.3.patch, hive.log
>
>
> Hive Server running thrift/http with Kerberos security.
> Kinited user knox attempting to proxy as sam.
> Beeline connection failed reporting error on hive server logs:
> Caused by: org.apache.hadoop.security.authorize.AuthorizationException: Unauthorized
connection for super-user: knox from IP null



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message