[
https://issues.apache.org/jira/browse/HIVE-8643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188736#comment-14188736
]
Vaibhav Gumashta commented on HIVE-8643:
----------------------------------------
[~ekoifman] Did you try building the username from the delegation token? Was
curious if it's even possible and provides better security than propagating
username via the environment variable.
> DDL operations via WebHCat with doAs parameter in secure cluster fail
> ---------------------------------------------------------------------
>
> Key: HIVE-8643
> URL: https://issues.apache.org/jira/browse/HIVE-8643
> Project: Hive
> Issue Type: Bug
> Components: WebHCat
> Affects Versions: 0.14.0
> Reporter: Eugene Koifman
> Assignee: Eugene Koifman
> Priority: Critical
> Fix For: 0.14.0
>
> Attachments: HIVE-8643.patch
>
>
> webhcat handles DDL command by forking to 'hcat', i.e. HCatCli
> This starts a session.
> SessionState.start() creates scratch dir based on current user name
> via startSs.createSessionDirs(sessionUGI.getShortUserName());
> This UGI is not aware of doAs param, so the name of the dir always ends up
> 'hcat', but because a delegation token is generated in WebHCat for HDFS
> access, the owner of the scratch dir is the calling user. Thus next time a
> session is started (because of a new DDL call from different user), it ends
> up trying to use the same scratch dir but cannot as it has 700 permission set.
> We need to pass in doAs user into SessionState
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
