[
https://issues.apache.org/jira/browse/HIVE-21033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Szehon Ho updated HIVE-21033:
-----------------------------
Description:
We had a custom client that did not handle closing the operations, until the
end of the session. it is a mistake in the client, but it reveals kind of a
vulnerability in HiveServer2
This happens if you have a session with (1) HiveCommandOperation and (2)
SQLOperation and don't close them right after. For example a session that does
the operations (set a=b; select * from foobar; ).
When SQLOperation runs , it set SessionState.out and err to be System.out and
System.err . Ref:
[SQLOperation#setupSessionIO|https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/operation/SQLOperation.java#L139]
Then the client closes the session, or disconnects which triggers
closeSession() on the Thrift side. In this case, the closeSession closes all
the operations, starting with HiveCommandOperation. This one closes all the
streams, which is System.out and System.err as set by SQLOperation earlier.
Ref:
[HiveCommandOperation#tearDownSessionIO|https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/service/src/java/org/apache/hive/service/cli/operation/HiveCommandOperation.java#L101]
After this, no more HiveServer2 output appears as System.out and System.err are
closed.
was:
We had a custom client that did not handle closing the operations, until the
end of the session. it is a mistake in the client, but it reveals kind of a
vulnerability in HiveServer2
This happens if you have a session with (1) HiveCommandOperation and (2)
SQLOperation and don't close them right after. For example a session that does
the operations (set a=b; select * from foobar; ).
When SQLOperation runs , it set SessionState.out and err to be System.out and
System.err . Ref:
[SQLOperation#setupSessionIO|https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/operation/SQLOperation.java#L139]
Then the client closes the session, or disconnects. In this case, the Session
closes all the operations, starting with HiveCommandOperation. This one closes
all the streams, which is System.out and System.err as set by SQLOperation
earlier. Ref:
[HiveCommandOperation#tearDownSessionIO|https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/service/src/java/org/apache/hive/service/cli/operation/HiveCommandOperation.java#L101]
After this, no more HiveServer2 output appears as System.out and System.err are
closed.
> Forgetting to close operation cuts off any more HiveServer2 output
> ------------------------------------------------------------------
>
> Key: HIVE-21033
> URL: https://issues.apache.org/jira/browse/HIVE-21033
> Project: Hive
> Issue Type: Bug
> Reporter: Szehon Ho
> Priority: Major
>
> We had a custom client that did not handle closing the operations, until the
> end of the session. it is a mistake in the client, but it reveals kind of a
> vulnerability in HiveServer2
> This happens if you have a session with (1) HiveCommandOperation and (2)
> SQLOperation and don't close them right after. For example a session that
> does the operations (set a=b; select * from foobar; ).
> When SQLOperation runs , it set SessionState.out and err to be System.out and
> System.err . Ref:
> [SQLOperation#setupSessionIO|https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/operation/SQLOperation.java#L139]
> Then the client closes the session, or disconnects which triggers
> closeSession() on the Thrift side. In this case, the closeSession closes all
> the operations, starting with HiveCommandOperation. This one closes all the
> streams, which is System.out and System.err as set by SQLOperation earlier.
> Ref:
> [HiveCommandOperation#tearDownSessionIO|https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/service/src/java/org/apache/hive/service/cli/operation/HiveCommandOperation.java#L101]
>
> After this, no more HiveServer2 output appears as System.out and System.err
> are closed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
