Return-Path: X-Original-To: apmail-hive-user-archive@www.apache.org Delivered-To: apmail-hive-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3B82518A9D for ; Wed, 9 Mar 2016 15:58:48 +0000 (UTC) Received: (qmail 7432 invoked by uid 500); 9 Mar 2016 15:58:45 -0000 Delivered-To: apmail-hive-user-archive@hive.apache.org Received: (qmail 7139 invoked by uid 500); 9 Mar 2016 15:58:45 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 7056 invoked by uid 99); 9 Mar 2016 15:58:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Mar 2016 15:58:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id B4AAF1A0D29 for ; Wed, 9 Mar 2016 15:58:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.802 X-Spam-Level: X-Spam-Status: No, score=-0.802 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 0b62Z-hvQQbA for ; Wed, 9 Mar 2016 15:58:42 +0000 (UTC) Received: from mail-io0-f180.google.com (mail-io0-f180.google.com [209.85.223.180]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id B33CB5FADB for ; Wed, 9 Mar 2016 15:58:41 +0000 (UTC) Received: by mail-io0-f180.google.com with SMTP id z76so70888612iof.3 for ; Wed, 09 Mar 2016 07:58:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=HujDj5p9xDIoCKfhKRFdRu8rE8w8qF+AJNSDi1bMTqQ=; b=Rc6SEYvhHF4Mck8vznlI2N9y/jpj1MHurkGWlwCUNlmyKuiFNioBW7miSHhjLxxFRL m16u0bFPp5y1Zl8R9AN4/EkeY5GcFEOFllUhO58wSPBC0rYWswKtokKZfRvndj5cbQ4D l5txe0NxVbelHmlnP3HBvRrmxW4QcTjampRwl537W/nMGxB/mJSwCNxZFu7k24+smphg DeeknD9CRSCwlTZPdrGJrVLxbG1fePgqeMuIcllfWY0uGm1iPXPpDErlLrQnUyi+VLnB DBN3t610o9hrRPTwftHJXDFlovW+7wwnxfAL8QrUPSYnOs5SEZPRPgb3xZiZi9zNR47d wSng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=HujDj5p9xDIoCKfhKRFdRu8rE8w8qF+AJNSDi1bMTqQ=; b=VhODGrWAntOwbquv8El/v279p+HCLHqodbxooq6dmmXRJLFOku3VlnoRU63E66p2DF l821Xa7sKh4gF6AaccsMLazWdx7KaG9nFlJTP4dfFBB2OU5ltfdKikCeKeNiUJjCIWeo kiBx5WN8ZF4vK2w6svXpgXSikenxNdVirVkSqulHWMeSLLAjQvssYPqpTiQAWqJ9A+B/ 8mIfZfKXpbnbgxwm1wmfNvn24elzSl75nPOhAgDiMyOkkcforrs3OtMVL0E6gN1j+2XB +Vu2wCZRGaTvXT7Me06hBDvBsGUHGxOrmkpEhUL20jkwlg9sTox2AiYe/872U6tzUL7D RuvA== X-Gm-Message-State: AD7BkJIh7kThFyiHOCBr+nMA4Gzi+sy52w7Gd1QUEmO3ELyhdXObgJre4DkSlXJV1rQAZg== X-Received: by 10.107.158.148 with SMTP id h142mr35198976ioe.63.1457539114661; Wed, 09 Mar 2016 07:58:34 -0800 (PST) Received: from [192.168.0.198] (c-67-174-209-72.hsd1.ca.comcast.net. [67.174.209.72]) by smtp.gmail.com with ESMTPSA id qt3sm3243253igb.2.2016.03.09.07.58.33 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 09 Mar 2016 07:58:33 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: Hive Context: Hive Metastore Client From: Alan Gates In-Reply-To: Date: Wed, 9 Mar 2016 07:58:32 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <56DF6014.9090604@gmail.com> To: user@hive.apache.org X-Mailer: Apple Mail (2.3112) One way people have gotten around the lack of LDAP connectivity in HS2 = has been to use Apache Knox. That project=E2=80=99s goal is to provide = a single login capability for Hadoop related projects so that users can = tie their LDAP or Active Directory servers into Hadoop. Alan. > On Mar 8, 2016, at 16:00, Mich Talebzadeh = wrote: >=20 > The current scenario resembles a three tier architecture but without = the security of second tier. In a typical three-tier you have users = connecting to the application server (read Hive server2) are = independently authenticated and if OK, the second tier creates new ,NET = type or JDBC threads to connect to database much like multi-threading. = The problem I believe is that Hive server 2 does not have that concept = of handling the individual loggings yet. Hive server 2 should be able to = handle LDAP logins as well. It is a useful layer to have. >=20 > Dr Mich Talebzadeh > =20 > LinkedIn = https://www.linkedin.com/profile/view?id=3DAAEAAAAWh2gBxianrbJd6zP6AcPCCdO= ABUrV8Pw > =20 > http://talebzadehmich.wordpress.com > =20 >=20 > On 8 March 2016 at 23:28, Alex = wrote: > Yes, when creating a Hive Context a Hive Metastore client should be = created with a user that the Spark application will talk to the *remote* = Hive Metastore with. We would like to add a custom authorization plugin = to our remote Hive Metastore to authorize the query requests that the = spark application is submitting which would also add authorization for = any other applications hitting the Hive Metastore. Furthermore we would = like to extend this so that we can submit "jobs" to our Spark = application that will allow us to run against the metastore as different = users while leveraging the abilities of our spark cluster. But as you = mentioned only one login connects to the Hive Metastore is shared among = all HiveContext sessions. >=20 > Likely the authentication would have to be completed either through a = secured Hive Metastore (Kerberos) or by having the requests go through = HiveServer2. >=20 > --Alex >=20 >=20 > On 3/8/2016 3:13 PM, Mich Talebzadeh wrote: >> Hi, >>=20 >> What do you mean by Hive Metastore Client? Are you referring to Hive = server login much like beeline? >>=20 >> Spark uses hive-site.xml to get the details of Hive metastore and the = login to the metastore which could be any database. Mine is Oracle and = as far as I know even in Hive 2, hive-site.xml has an entry for = javax.jdo.option.ConnectionUserName that specifies username to use = against metastore database. These are all multi-threaded JDBC = connections to the database, the same login as shown below: >>=20 >> LOGIN SID/serial# LOGGED IN S HOST OS PID Client PID = PROGRAM MEM/KB Logical I/O Physical I/O ACT >> -------- ----------- ----------- ---------- -------------- = -------------- --------------- ------------ ---------------- = ------------ --- >> INFO >> ------- >> HIVEUSER 67,6160 08/03 08:11 rhes564 oracle/20539 = hduser/1234 JDBC Thin Clien 1,017 37 = 0 N >> HIVEUSER 89,6421 08/03 08:11 rhes564 oracle/20541 = hduser/1234 JDBC Thin Clien 1,081 528 = 0 N >> HIVEUSER 112,561 08/03 10:45 rhes564 oracle/24624 = hduser/1234 JDBC Thin Clien 889 37 = 0 N >> HIVEUSER 131,8811 08/03 08:11 rhes564 oracle/20543 = hduser/1234 JDBC Thin Clien 1,017 37 = 0 N >> HIVEUSER 47,30114 08/03 10:45 rhes564 oracle/24626 = hduser/1234 JDBC Thin Clien 1,017 37 = 0 N >> HIVEUSER 170,8955 08/03 08:11 rhes564 oracle/20545 = hduser/1234 JDBC Thin Clien 1,017 323 = 0 N >>=20 >> As I understand what you are suggesting is that each Spark user uses = different login to connect to Hive metastore. As of now there is only = one login that connects to Hive metastore shared among all >>=20 >> 2016-03-08T23:08:01,890 INFO [pool-5-thread-72]: HiveMetaStore.audit = (HiveMetaStore.java:logAuditEvent(280)) - ugi=3Dhduser = ip=3D50.140.197.217 cmd=3Dsource:50.140.197.217 get_table : = db=3Dtest tbl=3Dt >> 2016-03-08T23:18:10,432 INFO [pool-5-thread-81]: HiveMetaStore.audit = (HiveMetaStore.java:logAuditEvent(280)) - ugi=3Dhduser = ip=3D50.140.197.216 cmd=3Dsource:50.140.197.216 get_tables: = db=3Dasehadoop pat=3D.* >>=20 >> And this is an entry in Hive log when connection is made theough = Zeppelin UI >>=20 >> 2016-03-08T23:20:13,546 INFO [pool-5-thread-84]: = metastore.HiveMetaStore (HiveMetaStore.java:newRawStore(499)) - 84: = Opening raw store with implementation = class:org.apache.hadoop.hive.metastore.ObjectStore >> 2016-03-08T23:20:13,547 INFO [pool-5-thread-84]: = metastore.ObjectStore (ObjectStore.java:initialize(318)) - ObjectStore, = initialize called >> 2016-03-08T23:20:13,550 INFO [pool-5-thread-84]: = metastore.MetaStoreDirectSql (MetaStoreDirectSql.java:(142)) - = Using direct SQL, underlying DB is ORACLE >> 2016-03-08T23:20:13,550 INFO [pool-5-thread-84]: = metastore.ObjectStore (ObjectStore.java:setConf(301)) - Initialized = ObjectStore >>=20 >> I am not sure there is currently such plan to have different logins = allowed to Hive Metastore. But it will add another level of security. = Though I am not sure how this would be authenticated. >>=20 >> HTH >>=20 >> =20 >>=20 >> Dr Mich Talebzadeh >> =20 >> LinkedIn = https://www.linkedin.com/profile/view?id=3DAAEAAAAWh2gBxianrbJd6zP6AcPCCdO= ABUrV8Pw >> =20 >> http://talebzadehmich.wordpress.com >> =20 >>=20 >> On 8 March 2016 at 22:23, Alex F = wrote: >> As of Spark 1.6.0 it is now possible to create new Hive Context = sessions sharing various components but right now the Hive Metastore = Client is shared amongst each new Hive Context Session. >>=20 >> Are there any plans to create individual Metastore Clients for each = Hive Context? >>=20 >> Related to the question above are there any plans to create an = interface for customizing the username that the Metastore Client uses to = connect to the Hive Metastore? Right now it either uses the user = specified in an environment variable or the application's process owner.=20= >>=20 >=20 >=20