Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Thu, 24 Apr 2014 16:23:27 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
-----------------------------------------------------------

(Updated April 24, 2014, 11:21 p.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
-------

3.patch - fixing TestSSL failures because of change in MiniHS2


Bugs: HIVE-6957
    https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
-------

In HiveServer2, when Kerberos auth and binary transport modes are used, the 
user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short 
usernames.
This also fails in authorizing statements that involve URI, as the 
authorization mode checks the file system permissions for given user. It does 
not recognize that the given long username actually owns the file or belongs to 
the group that owns the file.


Diffs (updated)
-----

  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java
 PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
f7ec93d 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
 62bfa1e 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java
 PRE-CREATION 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java
 PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java 
d08bfde 
  itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
-------

Unit test included.


Thanks,

Thejas Nair

Reply via email to