hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Seth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-13445) LLAP: token should encode application and cluster ids
Date Mon, 25 Apr 2016 09:51:12 GMT

    [ https://issues.apache.org/jira/browse/HIVE-13445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15256168#comment-15256168
] 

Siddharth Seth commented on HIVE-13445:
---------------------------------------

bq. Is the yarn option already used somewhere? We could just change the utility method to
use it too.
Think this should be a separate jira. Will create one.

bq. Don't understand. Can you elaborate?
A token can be obtained in case of Tez as well, with the hive sessionId passed in, instead
of having an alternate path where appId is sent is as null. This would require a lot more
work on the LLAP side to associate queries with a sessionId rather than an appId, so it may
not be worthwhile right now.

bq. Separate JIRA?
Think it's worthwhile adding basic tests as part of the patch itself, and a separate jira
for more comprehensive system tests.

More comments on RB.

Thinking on loud on appId in the token...
With default and recommended settings post HIVE-13446, only HS2 can obtain delegation tokens
or a CLI instance / client which has the hiveserver/llap user kerberos credentials. In this
case, users cannot easily fake the appSecret in a token - and llap should be able to trust
the appSecret from the token without it being explicitly signed.
Also, should we pass in a user in the getDelegationToken request either in place of appSecret
or along with it. HS2 can set this user to the actual requesting user, otherwise the token
is being issued with the user set to hive. getRealUser does not work afaik without proxy users
being setup correctly.

On the association of TokenUser / TokenApp on the first request
QueryInfo already contains the appIdString and username. The token should be a duplicate of
this. If anything we can verify the submitRequest and the token match like you mentioned.
Subsequent requests already have the associated username / appId. I don't think the new fields
in QueryInfo are required.



> LLAP: token should encode application and cluster ids
> -----------------------------------------------------
>
>                 Key: HIVE-13445
>                 URL: https://issues.apache.org/jira/browse/HIVE-13445
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13445.01.patch, HIVE-13445.02.patch, HIVE-13445.03.patch, HIVE-13445.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message