You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Eugene Chung (Jira)" <ji...@apache.org> on 2020/04/24 10:24:00 UTC

[jira] [Updated] (HIVE-23296) Setting Tez caller ID with the Hive session user

     [ https://issues.apache.org/jira/browse/HIVE-23296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eugene Chung updated HIVE-23296:
--------------------------------
    Description: 
On the kerberized Hadoop environment, a submitter of an YARN job is the name part of the Hive server principal. A caller ID of the job is made of the OS user of the Hive server process.

The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser() so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each query.

I suggest to change the caller ID to include the actual Hive user. If the user is not known, the OS user of the Hive server process is included as is.

The attached picture shows that 'Caller ID' includes 'user1' which is the Kerberos user name of the actual Hive user.

!Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!

  was:
On the kerberized Hadoop environment, a submitter of an YARN job is the name part of the Hive server principal. A caller ID of the job is made of the OS user of the Hive server process.

The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser() so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each query.

I suggest to change the caller ID to include the actual Hive user. If the user is not known, the OS user of the Hive server process is included as is.

!Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!


> Setting Tez caller ID with the Hive session user
> ------------------------------------------------
>
>                 Key: HIVE-23296
>                 URL: https://issues.apache.org/jira/browse/HIVE-23296
>             Project: Hive
>          Issue Type: Improvement
>          Components: Tez
>            Reporter: Eugene Chung
>            Assignee: Eugene Chung
>            Priority: Major
>         Attachments: Screen Shot 2020-04-24 at 17.20.34.png
>
>
> On the kerberized Hadoop environment, a submitter of an YARN job is the name part of the Hive server principal. A caller ID of the job is made of the OS user of the Hive server process.
> The view and modify ACLs of the Hive server admin for all Tez tasks are set by org.apache.hadoop.hive.ql.exec.tez.TezTask#setAccessControlsForCurrentUser() so that the admin can see all tasks from tez-ui. But the admin hardly knows who executed each query.
> I suggest to change the caller ID to include the actual Hive user. If the user is not known, the OS user of the Hive server process is included as is.
> The attached picture shows that 'Caller ID' includes 'user1' which is the Kerberos user name of the actual Hive user.
> !Screen Shot 2020-04-24 at 17.20.34.png|width=683,height=29!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)