You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@hive.apache.org by GitBox <gi...@apache.org> on 2021/02/10 07:02:12 UTC
[GitHub] [hive] guptanikhil007 opened a new pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
guptanikhil007 opened a new pull request #1964:
URL: https://github.com/apache/hive/pull/1964
<!--
Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://cwiki.apache.org/confluence/display/Hive/HowToContribute
2. Ensure that you have created an issue on the Hive project JIRA: https://issues.apache.org/jira/projects/HIVE/summary
3. Ensure you have added or run the appropriate tests for your PR:
4. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP]HIVE-XXXXX: Your PR title ...'.
5. Be sure to keep the PR description updated to reflect all changes.
6. Please write your PR title to summarize what this PR proposes.
7. If possible, provide a concise example to reproduce the issue for a faster review.
-->
### What changes were proposed in this pull request?
<!--
Please clarify what changes you are proposing. The purpose of this section is to outline the changes and how this PR fixes the issue.
If possible, please consider writing useful notes for better and faster reviews in your PR. See the examples below.
1. If you refactor some codes with changing classes, showing the class hierarchy will help reviewers.
2. If you fix some SQL features, you can provide some references of other DBMSes.
3. If there is design documentation, please add the link.
4. If there is a discussion in the mailing list, please add the link.
-->
In this PR, it is proposed to add a check for the Authorization Flag and provide admin access to all users in case Authorization is disabled.
### Why are the changes needed?
<!--
Please clarify why the changes are needed. For instance,
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
-->
It is required to check if authorization is enabled or not before accessing Authorizer in any part of the code.
### Does this PR introduce _any_ user-facing change?
<!--
Note that it means *any* user-facing change including all aspects such as the documentation fix.
If yes, please clarify the previous behavior and the change this PR proposes - provide the console output, description, screenshot and/or a reproducable example to show the behavior difference if possible.
If possible, please also clarify if this is a user-facing change compared to the released Hive versions or within the unreleased branches such as master.
If no, write 'No'.
-->
No
### How was this patch tested?
<!--
If tests were added, say they were added here. Please make sure to add some test cases that check the changes thoroughly including negative and positive cases if possible.
If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future.
If tests were not added, please describe why they were not added and/or why it was difficult to add.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] guptanikhil007 commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
guptanikhil007 commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r580011042
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
Review comment:
done
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] ashish-kumar-sharma commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
ashish-kumar-sharma commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r577585597
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
Review comment:
space between if and (
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ // If authorization is disabled, hs2 process owner should have kill privileges
try {
- SessionState.get().getAuthorizerV2()
+ String currentUser = ss.getUserName();
+ String loginUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ return (currentUser != null) && currentUser.equals(loginUser);
Review comment:
if loginUser will never be null then use "return StringUtils.equals(currentUser, loginUser)". this will handle null values also.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sankarh commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
sankarh commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r581125152
##########
File path: itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestKillQueryWithAuthorizationDisabled.java
##########
@@ -0,0 +1,250 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation;
+import org.apache.hadoop.hive.ql.exec.UDF;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.URL;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestKillQueryWithAuthorizationDisabled{
+
+ private static final Logger LOG = LoggerFactory.getLogger(TestKillQueryWithAuthorizationDisabled.class);
Review comment:
We follow 2 space tab for alignment.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] guptanikhil007 commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
guptanikhil007 commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r581208732
##########
File path: itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestKillQueryWithAuthorizationDisabled.java
##########
@@ -0,0 +1,250 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation;
+import org.apache.hadoop.hive.ql.exec.UDF;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.URL;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestKillQueryWithAuthorizationDisabled{
+
+ private static final Logger LOG = LoggerFactory.getLogger(TestKillQueryWithAuthorizationDisabled.class);
Review comment:
Fixed the Code Style as per dev-support/eclipse-styles.xml;
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sankarh commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
sankarh commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r579374650
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ // If authorization is disabled, hs2 process owner should have kill privileges
try {
- SessionState.get().getAuthorizerV2()
+ String currentUser = ss.getUserName();
Review comment:
Can we try and add an unit test that hits this flow (if not already exist)?
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ // If authorization is disabled, hs2 process owner should have kill privileges
try {
- SessionState.get().getAuthorizerV2()
+ String currentUser = ss.getUserName();
Review comment:
Can we try and add a unit test that hits this flow (if not already exist)?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] guptanikhil007 commented on pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
guptanikhil007 commented on pull request #1964:
URL: https://github.com/apache/hive/pull/1964#issuecomment-781045969
@pvargacl, @szlta, @sankarh Can you please review this PR?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sankarh commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
sankarh commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r582191155
##########
File path: itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestKillQueryWithAuthorizationDisabled.java
##########
@@ -0,0 +1,259 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation;
+import org.apache.hadoop.hive.ql.exec.UDF;
+import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.URL;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestKillQueryWithAuthorizationDisabled {
+ private static final Logger LOG = LoggerFactory.getLogger(TestKillQueryWithAuthorizationDisabled.class);
+
+ private static MiniHS2 miniHS2 = null;
+ private static final String tableName = "testKillQueryMinihs2Tbl";
+ private static final String testDbName = "testKillQueryMinihs2";
+ private static final String tag = "killTag";
+
+ private static class ExceptionHolder {
+ Throwable throwable;
+ }
+
+ static class FakeGroupAuthenticator extends SessionStateUserAuthenticator {
+ @Override public List<String> getGroupNames() {
Review comment:
nit: Annotations are usually kept in new lines.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] guptanikhil007 commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
guptanikhil007 commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r582155764
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ // If authorization is disabled, hs2 process owner should have kill privileges
try {
- SessionState.get().getAuthorizerV2()
+ String currentUser = ss.getUserName();
Review comment:
Added Tests
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sankarh merged pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
sankarh merged pull request #1964:
URL: https://github.com/apache/hive/pull/1964
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] guptanikhil007 commented on a change in pull request #1964: [WIP]HIVE-24751: Add authorization flag check for KillQueryImpl
Posted by GitBox <gi...@apache.org>.
guptanikhil007 commented on a change in pull request #1964:
URL: https://github.com/apache/hive/pull/1964#discussion_r580008504
##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,9 +117,21 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
private static boolean isAdmin() {
boolean isAdmin = false;
- if (SessionState.get().getAuthorizerV2() != null) {
+ SessionState ss = SessionState.get();
+ if(!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ // If authorization is disabled, hs2 process owner should have kill privileges
try {
- SessionState.get().getAuthorizerV2()
+ String currentUser = ss.getUserName();
Review comment:
org.apache.hive.jdbc.TestJdbcWithMiniLlapArrow#testKillQueryByTagAdmin
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org