hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Chung (Jira)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-23296) Setting Tez caller ID with the Hive session user
Date Fri, 24 Apr 2020 10:24:00 GMT

     [ https://issues.apache.org/jira/browse/HIVE-23296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eugene Chung updated HIVE-23296:
--------------------------------
    Description: 
On the kerberized Hadoop environment, a submitter of an YARN job is the name part of the Hive
server principal. A caller ID of the job is made of the OS user of the Hive server process.

The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser()
so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each
query.

I suggest to change the caller ID to include the actual Hive user. If the user is not known, the
OS user of the Hive server process is included as is.

The attached picture shows that 'Caller ID' includes 'user1' which is the Kerberos user name
of the actual Hive user.

!Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!

  was:
On the kerberized Hadoop environment, a submitter of an YARN job is the name part of the Hive
server principal. A caller ID of the job is made of the OS user of the Hive server process.

The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser()
so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each
query.

I suggest to change the caller ID to include the actual Hive user. If the user is not known, the
OS user of the Hive server process is included as is.

!Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!


> Setting Tez caller ID with the Hive session user
> ------------------------------------------------
>
>                 Key: HIVE-23296
>                 URL: https://issues.apache.org/jira/browse/HIVE-23296
>             Project: Hive
>          Issue Type: Improvement
>          Components: Tez
>            Reporter: Eugene Chung
>            Assignee: Eugene Chung
>            Priority: Major
>         Attachments: Screen Shot 2020-04-24 at 17.20.34.png
>
>
> On the kerberized Hadoop environment, a submitter of an YARN job is the name part of
the Hive server principal. A caller ID of the job is made of the OS user of the Hive server
process.
> The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser()
so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each
query.
> I suggest to change the caller ID to include the actual Hive user. If the user is not
known, the OS user of the Hive server process is included as is.
> The attached picture shows that 'Caller ID' includes 'user1' which is the Kerberos user
name of the actual Hive user.
> !Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message