[
https://issues.apache.org/jira/browse/HIVE-8643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188714#comment-14188714
]
Thejas M Nair commented on HIVE-8643:
-------------------------------------
[~ekoifman] I think we should make this change in
ShimLoader.getHadoopShims().getUGIForConf(conf).
As you had pointed out to me (offline), we have had to fix this issue earlier
in another place - HIVE-5542 . If we make this change in
ShimLoader.getHadoopShims().getUGIForConf(conf) , we can eventually get rid of
ProxyUserAuthenticator .
> DDL operations via WebHCat with doAs parameter in secure cluster fail
> ---------------------------------------------------------------------
>
> Key: HIVE-8643
> URL: https://issues.apache.org/jira/browse/HIVE-8643
> Project: Hive
> Issue Type: Bug
> Components: WebHCat
> Affects Versions: 0.14.0
> Reporter: Eugene Koifman
> Assignee: Eugene Koifman
> Priority: Critical
> Fix For: 0.14.0
>
> Attachments: HIVE-8643.patch
>
>
> webhcat handles DDL command by forking to 'hcat', i.e. HCatCli
> This starts a session.
> SessionState.start() creates scratch dir based on current user name
> via startSs.createSessionDirs(sessionUGI.getShortUserName());
> This UGI is not aware of doAs param, so the name of the dir always ends up
> 'hcat', but because a delegation token is generated in WebHCat for HDFS
> access, the owner of the scratch dir is the calling user. Thus next time a
> session is started (because of a new DDL call from different user), it ends
> up trying to use the same scratch dir but cannot as it has 700 permission set.
> We need to pass in doAs user into SessionState
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
