[jira] [Commented] (HIVE-27517) SessionState is not correctly initialized when hive.security.authorization.createtable.group.grants is set to automatically grant privileges

Thu, 07 Dec 2023 13:18:19 -0800 


    [ 
https://issues.apache.org/jira/browse/HIVE-27517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17794435#comment-17794435
 ] 

Ayush Saxena commented on HIVE-27517:
-------------------------------------

This is just look & feel kind of issue, rather than NPE throw 
IllegalArgumentException with the message. The execution in either ways doesn't 
succeed, it is just with this it will fail with a better looking exception.

Not a release blocker, reducing the priority.

cc. [~dkuzmenko] 

> SessionState is not correctly initialized when 
> hive.security.authorization.createtable.group.grants is set to automatically 
> grant privileges
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27517
>                 URL: https://issues.apache.org/jira/browse/HIVE-27517
>             Project: Hive
>          Issue Type: Bug
>            Reporter: ConfX
>            Priority: Critical
>              Labels: pull-request-available
>         Attachments: reproduce.sh
>
>
> h2. What happened:
> When set {{hive.security.authorization.createtable.group.grants}} to some 
> value, the grant may not be able to successfully apply to specified groups 
> due to incorrect {{SessionState}} initialization and crashes the system.
> h2. Buggy code:
> When call {{getAuthenticator()}} method from {{SessionState}} class, it first 
> executes {{{}setupAuth(){}}}, which setup authentication and authorization 
> plugins for this session.
> {noformat}
> /**
>  * Setup authentication and authorization plugins for this session.
>  */
> private synchronized void setupAuth() {
>   ...
>   // create the create table grants with new config
>   createTableGrants = CreateTableAutomaticGrant.create(sessionConf);
>   ...
> }{noformat}
> In the table grants creation, the {{sessionConf}} sets group grant with 
> {{{}getGrantMap(){}}}. This method will validate privilege with 
> {{getPrivilege}} method and eventually {{getPrivilegeFromRegistry}} method 
> will be executed.
> {noformat}
>  private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
>     return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) 
> : Registry.get(ptype);
>   }{noformat}
> However, {{ SessionState.get()}} can be null because the state may not be 
> correctly initialized.
> In {{{}SessionState.java{}}}, {{get()}} method returns 
> {{{}tss.get().state{}}}. If the current thread does not have SessionStates 
> initialized, then {{get()}} will try to create a new SessionStates by calling 
> {{initialValue()}} below. This calls the default constructor of the 
> {{SessionSatets}} class, which does not initialize the {{SessionState}} field 
> and {{HiveConf}} field.
> {noformat}
> /**
>  * get the current session.
>  */
> public static SessionState get() {
>   return tss.get().state;
> }/**
>  * Singleton Session object per thread.
>  *
>  **/
> private static ThreadLocal<SessionStates> tss = new 
> ThreadLocal<SessionStates>() {
>   @Override
>   protected SessionStates initialValue() {
>     return new SessionStates();
>   }
> };private static class SessionStates {
>   private SessionState state;
>   private HiveConf conf;
>   private void attach(SessionState state) {
>     this.state = state;
>     attach(state.getConf());
>   }
>   private void attach(HiveConf conf) {
>     this.conf = conf;    ClassLoader classLoader = conf.getClassLoader();
>     if (classLoader != null) {
>       Thread.currentThread().setContextClassLoader(classLoader);
>     }
>   }
> }{noformat}
> h2. How to reproduce:
> (1) Set {{hive.security.authorization.createtable.group.grants}} to some 
> value, e.g. {{abc,def:create;xlab,tyx:all;}}
> (2) Run test 
> {{org.apache.hadoop.hive.ql.parse.authorization.TestSessionUserName#testSessionGetGroupNames}}
> h2. StackTrace:
> {noformat}
> java.lang.NullPointerException                                                
>                      
>         at 
> org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilegeFromRegistry(PrivilegeRegistry.java:77)
>         at 
> org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilege(PrivilegeRegistry.java:72)
>         at 
> org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.validatePrivilege(CreateTableAutomaticGrant.java:108)
>         at 
> org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantorInfoList(CreateTableAutomaticGrant.java:91)
>         at 
> org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantMap(CreateTableAutomaticGrant.java:73)
>         at 
> org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.create(CreateTableAutomaticGrant.java:47)
>         at 
> org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:996)
>         at 
> org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1744)
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to