[jira] [Updated] (HIVE-7890) SessionState creates HMS Client while not impersonating

Wed, 27 Aug 2014 00:03:13 -0700 

     [ 
https://issues.apache.org/jira/browse/HIVE-7890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brock Noland updated HIVE-7890:
-------------------------------

    Description: 
In SessionState.start [an instance of the the HMSClient is 
created|https://github.com/apache/hive/blob/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java#L367].
 When impersonation is enabled, this call does not occur within a "doas" call 
and thus the HMSClient is created as the server user, not the impersonated user.

Thus calls to the HMS are made by the "hive" user as opposed to the end user. 
This causes file ownership such as a database directory owner to be incorrect. 
While debugging this, I got stack trace below. As you can see we are calling 
getMSC without a doas.

{noformat}
        at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:2474)
        at 
org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:367)
        at 
org.apache.hive.service.cli.session.HiveSessionImpl.<init>(HiveSessionImpl.java:121)
        at 
org.apache.hive.service.cli.session.HiveSessionImplwithUGI.<init>(HiveSessionImplwithUGI.java:49)
        at 
org.apache.hive.service.cli.session.SessionManager.openSession(SessionManager.java:130)
        at 
org.apache.hive.service.cli.CLIService.openSessionWithImpersonation(CLIService.java:163)
        at 
org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:290)
        at 
org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(ThriftCLIService.java:208)
        at 
org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1313)
        at 
org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1298)
        at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
        at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
        at 
org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:55)
        at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)
{noformat}

  was:
In SessionState.start [an instance of the the HMSClient is 
created|https://github.com/apache/hive/blob/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java#L367].
 When impersonation is enabled, this call does not occur within a "doas" call 
and thus the HMSClient is created as the server user, not the impersonated user.

Thus calls to the HMS are made by the "hive" user as opposed to the end user. 
This causes file ownership such as a database directory owner to be incorrect.


> SessionState creates HMS Client while not impersonating
> -------------------------------------------------------
>
>                 Key: HIVE-7890
>                 URL: https://issues.apache.org/jira/browse/HIVE-7890
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Brock Noland
>            Assignee: Brock Noland
>         Attachments: HIVE-7890.2.patch
>
>
> In SessionState.start [an instance of the the HMSClient is 
> created|https://github.com/apache/hive/blob/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java#L367].
>  When impersonation is enabled, this call does not occur within a "doas" call 
> and thus the HMSClient is created as the server user, not the impersonated 
> user.
> Thus calls to the HMS are made by the "hive" user as opposed to the end user. 
> This causes file ownership such as a database directory owner to be 
> incorrect. While debugging this, I got stack trace below. As you can see we 
> are calling getMSC without a doas.
> {noformat}
>       at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:2474)
>       at 
> org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:367)
>       at 
> org.apache.hive.service.cli.session.HiveSessionImpl.<init>(HiveSessionImpl.java:121)
>       at 
> org.apache.hive.service.cli.session.HiveSessionImplwithUGI.<init>(HiveSessionImplwithUGI.java:49)
>       at 
> org.apache.hive.service.cli.session.SessionManager.openSession(SessionManager.java:130)
>       at 
> org.apache.hive.service.cli.CLIService.openSessionWithImpersonation(CLIService.java:163)
>       at 
> org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(ThriftCLIService.java:290)
>       at 
> org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(ThriftCLIService.java:208)
>       at 
> org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1313)
>       at 
> org.apache.hive.service.cli.thrift.TCLIService$Processor$OpenSession.getResult(TCLIService.java:1298)
>       at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>       at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>       at 
> org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:55)
>       at 
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>       at java.lang.Thread.run(Thread.java:744)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to