Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DB5D217330 for ; Thu, 9 Oct 2014 22:03:34 +0000 (UTC) Received: (qmail 4522 invoked by uid 500); 9 Oct 2014 22:03:34 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 4449 invoked by uid 500); 9 Oct 2014 22:03:34 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 4436 invoked by uid 500); 9 Oct 2014 22:03:34 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 4433 invoked by uid 99); 9 Oct 2014 22:03:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Oct 2014 22:03:34 +0000 Date: Thu, 9 Oct 2014 22:03:34 +0000 (UTC) From: "Vaibhav Gumashta (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HIVE-6857) Refactor HiveServer2 TSetIpAddressProcessor MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vaibhav Gumashta updated HIVE-6857: ----------------------------------- Fix Version/s: 0.15.0 > Refactor HiveServer2 TSetIpAddressProcessor > ------------------------------------------- > > Key: HIVE-6857 > URL: https://issues.apache.org/jira/browse/HIVE-6857 > Project: Hive > Issue Type: Bug > Components: HiveServer2 > Reporter: Vaibhav Gumashta > Assignee: Vaibhav Gumashta > Fix For: 0.15.0 > > > Excerpt from HIVE-6837 and related issues: > 1. SessionManager#openSession: > {code} > public SessionHandle openSession(TProtocolVersion protocol, String username, String password, > Map sessionConf, boolean withImpersonation, String delegationToken) > throws HiveSQLException { > HiveSession session; > if (withImpersonation) { > HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password, > hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken); > session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi()); > hiveSessionUgi.setProxySession(session); > } else { > session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf, > TSetIpAddressProcessor.getUserIpAddress()); > } > session.setSessionManager(this); > session.setOperationManager(operationManager); > session.open(); > handleToSession.put(session.getSessionHandle(), session); > try { > executeSessionHooks(session); > } catch (Exception e) { > throw new HiveSQLException("Failed to execute session hooks", e); > } > return session.getSessionHandle(); > } > {code} > Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress). > 2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335. > 3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor. > 4. Consolidate thread locals used for username, ipaddress > 5. Do not directly use TSetIpAddressProcessor; get it via factory like here: > https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161 -- This message was sent by Atlassian JIRA (v6.3.4#6332)