Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7F96F17C80 for ; Wed, 29 Oct 2014 20:39:34 +0000 (UTC) Received: (qmail 42135 invoked by uid 500); 29 Oct 2014 20:39:34 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 42066 invoked by uid 500); 29 Oct 2014 20:39:34 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 42051 invoked by uid 500); 29 Oct 2014 20:39:34 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 42044 invoked by uid 99); 29 Oct 2014 20:39:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Oct 2014 20:39:34 +0000 Date: Wed, 29 Oct 2014 20:39:33 +0000 (UTC) From: "Thejas M Nair (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HIVE-8643) DDL operations via WebHCat with doAs parameter in secure cluster fail MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-8643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188957#comment-14188957 ] Thejas M Nair commented on HIVE-8643: ------------------------------------- Can you also add a comment to ProxyUserAuthenticator saying that it is no longer necessary to use it with webhcat (0.14 release onwards). Also, the comment block can you use the oracle java style (the IDE should be able to do it for you) - {code} /* * Here is a block comment. */ {code} http://www.oracle.com/technetwork/java/javase/documentation/codeconventions-141999.html#385 > DDL operations via WebHCat with doAs parameter in secure cluster fail > --------------------------------------------------------------------- > > Key: HIVE-8643 > URL: https://issues.apache.org/jira/browse/HIVE-8643 > Project: Hive > Issue Type: Bug > Components: WebHCat > Affects Versions: 0.14.0 > Reporter: Eugene Koifman > Assignee: Eugene Koifman > Priority: Critical > Fix For: 0.14.0 > > Attachments: HIVE-8643.2.patch, HIVE-8643.patch > > > webhcat handles DDL command by forking to 'hcat', i.e. HCatCli > This starts a session. > SessionState.start() creates scratch dir based on current user name > via startSs.createSessionDirs(sessionUGI.getShortUserName()); > This UGI is not aware of doAs param, so the name of the dir always ends up 'hcat', but because a delegation token is generated in WebHCat for HDFS access, the owner of the scratch dir is the calling user. Thus next time a session is started (because of a new DDL call from different user), it ends up trying to use the same scratch dir but cannot as it has 700 permission set. > We need to pass in doAs user into SessionState -- This message was sent by Atlassian JIRA (v6.3.4#6332)