hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vaibhav Gumashta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-6857) Refactor HiveServer2 TSetIpAddressProcessor
Date Tue, 08 Apr 2014 07:04:15 GMT

    [ https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13962641#comment-13962641
] 

Vaibhav Gumashta commented on HIVE-6857:
----------------------------------------

[~thejas] I am just using this is a placeholder of issues I notice wrt TSetIpAddressProcessor,
threadlocals. You might want to take a look. Some of these I'll resolve as part of HIVE-6864.


> Refactor HiveServer2 TSetIpAddressProcessor
> -------------------------------------------
>
>                 Key: HIVE-6857
>                 URL: https://issues.apache.org/jira/browse/HIVE-6857
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Vaibhav Gumashta
>            Assignee: Vaibhav Gumashta
>
> Excerpt HIVE-6837. Issues:
> 1. SessionManager#openSession:
> {code}
> public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
>       Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
>           throws HiveSQLException {
>     HiveSession session;
>     if (withImpersonation) {
>       HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username,
password,
>         hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
>       session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
>       hiveSessionUgi.setProxySession(session);
>     } else {
>       session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
>           TSetIpAddressProcessor.getUserIpAddress());
>     }
>     session.setSessionManager(this);
>     session.setOperationManager(operationManager);
>     session.open();
>     handleToSession.put(session.getSessionHandle(), session);
>     try {
>       executeSessionHooks(session);
>     } catch (Exception e) {
>       throw new HiveSQLException("Failed to execute session hooks", e);
>     }
>     return session.getSessionHandle();
>   }
> {code}
> Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress()
to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
> 2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with
UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> 3. The name TSetIpAddressProcessor should be replaced with something more meaningful
like TPlainSASLProcessor.
> 4. Consolidate thread locals used for username, ipaddress
> 5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
> https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message