You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Sam An (JIRA)" <ji...@apache.org> on 2019/06/10 22:39:00 UTC

[jira] [Assigned] (HIVE-21856) SQLStdHiveAuthorizationValidator checkPrivileges should not check DFS when authorizing select calls on table

     [ https://issues.apache.org/jira/browse/HIVE-21856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sam An reassigned HIVE-21856:
-----------------------------

    Assignee: Sam An

> SQLStdHiveAuthorizationValidator checkPrivileges should not check DFS when authorizing select calls on table
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-21856
>                 URL: https://issues.apache.org/jira/browse/HIVE-21856
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 4.0.0
>            Reporter: Sam An
>            Assignee: Sam An
>            Priority: Major
>
> I encountered strange problem in the master branch build. With the following hive-site.xml authorization related properties. 
> <property>
> <name>hive.server2.enable.doAs</name>
> <value>false</value>
> </property>
> <property>
> <name>hive.security.authorization.enabled</name>
> <value>true</value>
> </property>
> <property>
> <name>hive.security.authorization.manager</name>
> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
> </property>
>  
> I am seeing this backtrace. 
> 2019-06-10 10:08:53,964 INFO sqlstd.SQLAuthorizationUtils: Checking fs privileges of user hive for HdfsLocatedFileStatus\{path=hdfs://localhost:9000/tmp/hive/_resultscache_/results-1c53b375-a40a-44d2-9340-f08285cf80e0/8c0b4faf-0768-4534-a00f-6df4e2147f64; isDirectory=true; modification_time=1560186530192; access_time=0; owner=sam.an; group=supergroup; permission=rwxr-xr-x; isSymlink=false; hasAcl=false; isEncrypted=false; isErasureCoded=false} recursively 
> FAILED: HiveAuthzPluginException Error getting permissions for /tmp/hive/_resultscache_/results-1c53b375-a40a-44d2-9340-f08285cf80e0/8c0b4faf-0768-4534-a00f-6df4e2147f64: null
> 2019-06-10 10:08:54,650 ERROR ql.Driver: FAILED: HiveAuthzPluginException Error getting permissions for /tmp/hive/_resultscache_/results-1c53b375-a40a-44d2-9340-f08285cf80e0/8c0b4faf-0768-4534-a00f-6df4e2147f64: null
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Error getting permissions for /tmp/hive/_resultscache_/results-1c53b375-a40a-44d2-9340-f08285cf80e0/8c0b4faf-0768-4534-a00f-6df4e2147f64: null
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPrivilegesFromFS(SQLAuthorizationUtils.java:422)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizationValidator.checkPrivileges(SQLStdHiveAuthorizationValidator.java:123)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizationValidator.checkPrivileges(SQLStdHiveAuthorizationValidator.java:84)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl.checkPrivileges(HiveAuthorizerImpl.java:86)
>  at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:1361)
>  at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:1125)
>  at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:718)
>  at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1912)
>  at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1859)
>  at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1854)
>  at org.apache.hadoop.hive.ql.reexec.ReExecDriver.compileAndRespond(ReExecDriver.java:126)
>  at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:204)
>  at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:269)
>  at org.apache.hive.service.cli.operation.Operation.run(Operation.java:268)
>  at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:576)
>  at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:561)
>  at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:315)
>  at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:568)
>  at org.apache.hive.service.rpc.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1557)
>  at org.apache.hive.service.rpc.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1542)
>  at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>  at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>  at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)
>  at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.reflect.UndeclaredThrowableException
>  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1700)
>  at org.apache.hadoop.hive.common.FileUtils.checkFileAccessWithImpersonation(FileUtils.java:411)
>  at org.apache.hadoop.hive.common.FileUtils.isActionPermittedForFileHierarchy(FileUtils.java:471)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPrivilegesFromFS(SQLAuthorizationUtils.java:457)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.addPrivilegesFromFS(SQLAuthorizationUtils.java:444)
>  at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPrivilegesFromFS(SQLAuthorizationUtils.java:417)
>  ... 26 more
> Caused by: java.lang.reflect.InvocationTargetException
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at java.lang.reflect.Method.invoke(Method.java:498)
>  at org.apache.hadoop.hive.shims.Hadoop23Shims.checkFileAccess(Hadoop23Shims.java:950)
>  at org.apache.hadoop.hive.common.FileUtils$3.run(FileUtils.java:415)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at javax.security.auth.Subject.doAs(Subject.java:422)
>  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
>  ... 31 more
> Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: sam.an is not allowed to impersonate hive
>  at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1499)
>  at org.apache.hadoop.ipc.Client.call(Client.java:1445)
>  at org.apache.hadoop.ipc.Client.call(Client.java:1355)
>  at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
>  at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
>  at com.sun.proxy.$Proxy31.checkAccess(Unknown Source)
>  at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.checkAccess(ClientNamenodeProtocolTranslatorPB.java:1714)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at java.lang.reflect.Method.invoke(Method.java:498)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
>  at com.sun.proxy.$Proxy32.checkAccess(Unknown Source)
>  at org.apache.hadoop.hdfs.DFSClient.checkAccess(DFSClient.java:2835)
>  at org.apache.hadoop.hdfs.DistributedFileSystem$64.doCall(DistributedFileSystem.java:2794)
>  at org.apache.hadoop.hdfs.DistributedFileSystem$64.doCall(DistributedFileSystem.java:2791)
>  at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
>  at org.apache.hadoop.hdfs.DistributedFileSystem.access(DistributedFileSystem.java:2804)
>  ... 40 more
>  
> I am not sure this is a genuine bug or it's a my hadoop set up incorrectly. Logging this ticket to track it to make sure. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)