You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Sushanth Sowmyan (JIRA)" <ji...@apache.org> on 2013/10/15 04:36:41 UTC
[jira] [Commented] (HIVE-5542) Webhcat is failing to run ddl
command on a secure cluster
[ https://issues.apache.org/jira/browse/HIVE-5542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13794807#comment-13794807 ]
Sushanth Sowmyan commented on HIVE-5542:
----------------------------------------
The issue here is this:
a) templeton runs as user hcat
b) templeton runs hcat command line as user hcat
c) It sets appropriate delegation tokens so that hdfs and hive metastore recognize the command as being run as user hrt_qa, but the current unix user for the hcat commandline is user hcat.
d) SBAP uses the hive default authentication provider, which recognizes that the user is hcat.
e) The old HdfsAuthorizationProvider did not use the provided authentication provider, and instead special-cased how it did authentication by instantiating its own ugi. In addition, it would create a proxy user ugi if a setting proxy.user.name was set, and that's how it used to authorize whether or not "hrt_qa" would perform an action, as opposed to authorizing if "hcat" was allowed to do so.
So, we need to create a new ProxyUserAuthenticator which can mock authenticate as a particular user that it's asked to authenticate as, and fall back to default authentication if not. This can be used as an authenticator for servers such as webhcat which have alternate means of figuring out who the user is, and telling the hcat command line who they are running as.
A further issue props up if we make the aforesaid change, and that is that HCatCli instantiates a SessionState, and therefore a AuthorizationProvider and an AuthenticationProvider before it processes its -D parameters, which is what is used to provide overrides such as the proxy.user.name that webhcat provides. The reason this worked with HdfsAuthorizationProvider before was that it instantiated a ugi depending on whether or not that conf parameter was set at runtime, for every single authorization call.
So, we need to change the initialization order in the hcat commandline, to make sure the -D parameters are processed before we instantiate SessionState as well.
> Webhcat is failing to run ddl command on a secure cluster
> ---------------------------------------------------------
>
> Key: HIVE-5542
> URL: https://issues.apache.org/jira/browse/HIVE-5542
> Project: Hive
> Issue Type: Bug
> Components: Authentication, WebHCat
> Affects Versions: 0.12.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
>
> When switching client-side authorization from the now deprecated HdfsAuthorizationProvider to SBAP, we noticed an issue while testing. Basically, if, say webhcat were running as user "hcat" on a secure cluster, and we run the following:
> {noformat}
> $ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
> $ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
> {noformat}
> {noformat}
> {"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
> at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
> at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
> at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
> at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
> at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
> at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
> Caused by: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
> at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
> ... 20 more
> ","error":"FAILED: AuthorizationException java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)