hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-8643) DDL operations via WebHCat with doAs parameter in secure cluster fail
Date Wed, 29 Oct 2014 20:39:33 GMT

    [ https://issues.apache.org/jira/browse/HIVE-8643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188957#comment-14188957
] 

Thejas M Nair commented on HIVE-8643:
-------------------------------------

Can you also add a comment to ProxyUserAuthenticator saying that it is no longer necessary
to use it with webhcat (0.14 release onwards).
Also, the comment block can you use the oracle java style (the IDE should be able to do it
for you)  -

{code}
/*
 * Here is a block comment.
 */
{code}
http://www.oracle.com/technetwork/java/javase/documentation/codeconventions-141999.html#385


> DDL operations via WebHCat with doAs parameter in secure cluster fail
> ---------------------------------------------------------------------
>
>                 Key: HIVE-8643
>                 URL: https://issues.apache.org/jira/browse/HIVE-8643
>             Project: Hive
>          Issue Type: Bug
>          Components: WebHCat
>    Affects Versions: 0.14.0
>            Reporter: Eugene Koifman
>            Assignee: Eugene Koifman
>            Priority: Critical
>             Fix For: 0.14.0
>
>         Attachments: HIVE-8643.2.patch, HIVE-8643.patch
>
>
> webhcat handles DDL command by forking to 'hcat', i.e. HCatCli
> This starts a session.
> SessionState.start() creates scratch dir based on current user name
> via startSs.createSessionDirs(sessionUGI.getShortUserName());
> This UGI is not aware of doAs param, so the name of the dir always ends up 'hcat', but
because a delegation token is generated in WebHCat for HDFS access, the owner of the scratch
dir is the calling user.  Thus next time a session is started (because of a new DDL call from
different user), it ends up trying to use the same scratch dir but cannot as it has 700 permission
set.
> We need to pass in doAs user into SessionState



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message