hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xuefu Zhang (JIRA)" <>
Subject [jira] [Commented] (HIVE-17252) Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
Date Fri, 04 Aug 2017 20:13:00 GMT


Xuefu Zhang commented on HIVE-17252:

I don't think Hive set any value to mapreduce.job.queuename by default. In fact, it's expected
that a user to set the queue name correctly. Hive doesn't manage user-queue mapping either.
Please refer to YARN queue access control for queue permissions.

> Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
> --------------------------------------------------------------------------
>                 Key: HIVE-17252
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 1.1.0
>            Reporter: Vugar Karimli
> Hi,
> I am using Hive version 1.1.0 with Hadoop 2.6.0. As you know when Kerberos and Sentry
is enabled in hadoop cluster HiveServer2 user impersonation should be turned of (hive.server2.enable.doAs=false)
to force all queries in background to be executed by hive user instead of logged in user.

> In this case by default HiveServer2 takes into account Fair Scheduler and sets mapreduce.job.queuename
parameter according to logged in Hive username and correctly executes query in user's YARN
queue. For example, in root.users.user_name queue.
> But problem here is any user can modify mapreduce.job.queuename parameter setting other
user's queue name (set mapreduce.job.queuename=root.users.other_user_name) and execute query
in another user's YARN queue. Here YARN queue's ACL also doesn't help, because all queries
are executed by hive user in YARN not by logged in user.
> Is it possible to prevent HiveServer2 users changing mapreduce.job.queuename parameter?
> Best Regards,
> Vugar.

This message was sent by Atlassian JIRA

View raw message