hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abdelrahman Shettia (JIRA)" <>
Subject [jira] [Commented] (HIVE-10528) Hiveserver2 in HTTP mode is not applying auth_to_local rules
Date Wed, 27 May 2015 12:55:18 GMT


Abdelrahman Shettia commented on HIVE-10528:

The build has some failures related to the following:
2015-05-27 04:38:59,538 ERROR Test run exited with an unexpected error org.apache.hive.ptest.execution.TestsFailedException:
55 tests failed

I am not sure if this is related to the code change in the patch. [~vgumashta] can you please
confirm for me?  I am able to get a successful local build and ran through the test cases
without issues. I am attaching file called 'REPRO-10528.txt' with the testing outcome. The
patch did fix the issue and its using auth to local. 


> Hiveserver2 in HTTP mode is not applying auth_to_local rules
> ------------------------------------------------------------
>                 Key: HIVE-10528
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 1.0.0, 1.2.0, 1.1.0, 1.3.0
>         Environment: Centos 6
>            Reporter: Abdelrahman Shettia
>            Assignee: Abdelrahman Shettia
>         Attachments: HIVE-10528.1.patch, HIVE-10528.1.patch, HIVE-10528.2.patch, HIVE-10528.3.patch
> PROBLEM: Authenticating to HS2 in HTTP mode with Kerberos, auth_to_local mappings do
not get applied.  Because of this various permissions checks which rely on the local cluster
name for a user are going to fail.
> 1.  Create  kerberos cluster  and HS2 in HTTP mode
> 2.  Create a new user, test, along with a kerberos principal for this user
> 3.  Create a separate principal, mapped-test
> 4.  Create an auth_to_local rule to make sure that mapped-test is mapped to test
> 5.  As the test user, connect to HS2 with beeline and create a simple table:
> {code}
> CREATE TABLE permtest (field1 int);
> {code}
> There is no need to load anything into this table.
> 6.  Establish that it works as the test user:
> {code}
> show create table permtest;
> {code}
> 7.  Drop the test identity and become mapped-test
> 8.  Re-connect to HS2 with beeline, re-run the above command:
> {code}
> show create table permtest;
> {code}
> You will find that when this is done in HTTP mode, you will get an HDFS error (because
of StorageBasedAuthorization doing a HDFS permissions check) and the user will be mapped-test
and NOT test as it should be.
> ANALYSIS:  This appears to be HTTP specific and the problem seems to come in {{ThriftHttpServlet$HttpKerberosServerAction.getPrincipalWithoutRealmAndHost()}}:
> {code}
>       try {
>         fullKerberosName = ShimLoader.getHadoopShims().getKerberosNameShim(fullPrincipal);
>       } catch (IOException e) {
>         throw new HttpAuthenticationException(e);
>       }
>       return fullKerberosName.getServiceName();
> {code}
> getServiceName applies no auth_to_local rules.  Seems like maybe this should be getShortName()?

This message was sent by Atlassian JIRA

View raw message