hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vugar Karimli (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-17252) Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
Date Fri, 04 Aug 2017 14:06:00 GMT
Vugar Karimli created HIVE-17252:
------------------------------------

             Summary: Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation
mode
                 Key: HIVE-17252
                 URL: https://issues.apache.org/jira/browse/HIVE-17252
             Project: Hive
          Issue Type: Bug
    Affects Versions: 1.1.0
            Reporter: Vugar Karimli


Hi,

I am using Hive version 1.1.0 with Hadoop 2.6.0. As you know when Kerberos and Sentry is enabled
in hadoop cluster HiveServer2 user impersonation should be turned of (hive.server2.enable.doAs=false)
to force all queries in background to be executed by hive user instead of logged in user.


In this case by default HiveServer2 takes into account Fair Scheduler and sets mapreduce.job.queuename
parameter according to logged in Hive username and correctly executes query in user's YARN
queue. For example, in root.users.user_name queue.

But problem here is any user can modify mapreduce.job.queuename parameter setting other user's
queue name (set mapreduce.job.queuename=root.users.other_user_name) and execute query in another
user's YARN queue. Here YARN queue's ACL also doesn't help, because all queries are executed
by hive user in YARN not by logged in user.

Is it possible to prevent HiveServer2 users changing mapreduce.job.queuename parameter?

Best Regards,
Vugar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message