hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Koifman (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-5001) [WebHCat] JobState is read/written with different user credentials
Date Tue, 09 Sep 2014 23:18:28 GMT

     [ https://issues.apache.org/jira/browse/HIVE-5001?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eugene Koifman updated HIVE-5001:
---------------------------------
    Component/s:     (was: HCatalog)
                 WebHCat

> [WebHCat] JobState is read/written with different user credentials
> ------------------------------------------------------------------
>
>                 Key: HIVE-5001
>                 URL: https://issues.apache.org/jira/browse/HIVE-5001
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, WebHCat
>    Affects Versions: 0.11.0
>            Reporter: Eugene Koifman
>            Assignee: Eugene Koifman
>            Priority: Minor
>
> JobState can be persisted to HDFS or Zookeeper.  At various points in the lifecycle it's
accessed with different user credentials thus may cause errors depending on how permissions
are set.
> Example:
> When submitting a MR job, templeton.JarDelegator is used.
> It calls LauncherDelegator#queueAsUser() which runs TempletonControllerJob with UserGroupInformation.doAs().
> TempletonControllerJob will in turn create JobState and persist it.
> LauncherDelegator.registerJob() also modifies JobState but w/o doing a doAs()
> So in the later case it's possible that the persisted state of JobState by a different
user than one that created/owns the file.
> templeton.tool.HDFSCleanup tries to delete these files w/o doAs.
> 'childid' file, for example, is created with rw-r--r--.
> and it's parent directory (job_201308051224_0001) has rwxr-xr-x.
> HDFSStorage doesn't set file permissions explicitly so it must be using default permissions.
> So there is a potential issue here (depending on UMASK) especially once HIVE-4601 is
addressed.
> Actually, even w/o HIVE-4601 the user that owns the WebHCat process is likely different
than the one submitting a request.
> The default for templeton.storage.class is org.apache.hcatalog.templeton.toolHDFSStorage,
but it's likely that most production environments change it to Zookeeper, which may explain
why this issue is not commonly seen.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message