[
https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261179#comment-15261179
]
Sergey Shelukhin edited comment on HIVE-13446 at 4/27/16 11:24 PM:
-------------------------------------------------------------------
{noformat}
Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this
enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will
also be used to enforce checking ZK acls.
{noformat}
Changing the default for "hive.llap.management.acl" to " " instead of "*"
seems to be a simpler approach. Afaik, the logged in user will still be allowed
access. The default would allow only the logged in user (assuming that works).
Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if
they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client
principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey),
addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you
comment on this? Does IPC allow the current user to access the service, even if
they logged in with keytab as u...@blah.com, not user/a...@blah.com? If I
understand the code in ServiceAuthorizationManager correctly, it doesn't appear
to.
{noformat}
hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an
internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any
project outside of Hadoop is supposed to use this in a reliable manner. Maybe
define the man acl configuration as a string and add the blocked to it - to
prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer?
This way to build the thing is essentially public since everyone has to use it
to configure their services. This setting just adds it to HiveConf. If the name
changes, we'd have to change the config name like everyone else; for us, the
default will also break, but I think this is not a big deal (and is unavoidable)
was (Author: sershe):
{noformat}
Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this
enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will
also be used to enforce checking ZK acls.
{noformat}
Changing the default for "hive.llap.management.acl" to " " instead of "*"
seems to be a simpler approach. Afaik, the logged in user will still be allowed
access. The default would allow only the logged in user (assuming that works).
Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if
they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client
principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey),
addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you
comment on this? Does IPC allow the current user to access the service, even if
they logged in with keytab as u...@blah.com, not user/a...@blah.com? If I
understand the code in ServiceAuthorizationManager correctly, it doesn't appear
to.
{noformat}
hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an
internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any
project outside of Hadoop is supposed to use this in a reliable manner. Maybe
define the man acl configuration as a string and add the blocked to it - to
prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer?
> LLAP: set default management protocol acls to deny all
> ------------------------------------------------------
>
> Key: HIVE-13446
> URL: https://issues.apache.org/jira/browse/HIVE-13446
> Project: Hive
> Issue Type: Bug
> Reporter: Sergey Shelukhin
> Assignee: Sergey Shelukhin
> Attachments: HIVE-13446.patch
>
>
> The user needs to set the acls.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
