BELUGA BEHR created HIVE-19900:
----------------------------------
Summary: HiveCLI HoS Performs Invalid Impersonation If User Name
Truncated
Key: HIVE-19900
URL: https://issues.apache.org/jira/browse/HIVE-19900
Project: Hive
Issue Type: Improvement
Components: CLI, Spark
Affects Versions: 2.3.2, 3.0.0, 1.2.2, 4.0.0
Reporter: BELUGA BEHR
The HiveCLI HoS code relies on the system property {{user.name}} when
performing impersonations. The code decides to do an impersonation if the
{{user.name}} system property does not match the current user who is launching
the HiveCLI client. However, when confronted with a long user name, some
shells and linux distros may opt to truncate the user name to a certain size to
conserve screen space. In these scenarios, the current user name does not match
the {{user.name}} system property and never will, so impersonation will always
happen, even though the user is trying to impersonate themselves. If YARN is
not setup to allow the current user to impersonate, YARN will reject the
request.
{code:java}
if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
try {
String currentUser = Utils.getUGI().getShortUserName();
// do not do impersonation in CLI mode
if (!currentUser.equals(System.getProperty("user.name"))) {
LOG.info("Attempting impersonation of " + currentUser);
addProxyUser(currentUser);
}
} catch (Exception e) {
String msg = "Cannot obtain username: " + e;
throw new IllegalStateException(msg, e);
}
}
{code}
[https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366]
Assuming a kerberos enabled environment, the error message in the YARN Resource
Manager will be:
{code:java}
my-really-really-long-user-n...@hadoop.domain.com is not allowed to impersonate
my-really-really-long-user-name
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
