You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Dmytro Sen <ds...@hortonworks.com> on 2014/03/31 17:58:14 UTC
Review Request 19851: HiveServer2 default security configuration changes
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19851/
-----------------------------------------------------------
Review request for Ambari, Dmitro Lisnichenko and Sumit Mohanty.
Bugs: AMBARI-5289
https://issues.apache.org/jira/browse/AMBARI-5289
Repository: ambari
Description
-------
1.
For hive server2 startup commandline option, ambari should specify the following configuration values:
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
2.
Ambari has been specifying the config hive.metastore.uris="" . It would be better to stop specifying this. With changes in hive security, there is some overhead of using embedded metastore from hive-server2.
3.
There is a new config parameter "hive.users.in.admin.role" that is important to security. If user is specified as value of this config, that user has superuser privileges (meant for a user playing the DBA role).
This should be set in hive-site.xml (used by metastore server). If it's set a default admin for any other service we can do the same here.
Diffs
-----
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh fa90c2f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py e1ef61f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py 52ba5c5
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml 2d8a86d
ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py 57e6bb8
Diff: https://reviews.apache.org/r/19851/diff/
Testing
-------
Thanks,
Dmytro Sen
Re: Review Request 19851: HiveServer2 default security configuration changes
Posted by Dmytro Sen <ds...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19851/
-----------------------------------------------------------
(Updated April 6, 2014, 2:30 p.m.)
Review request for Ambari, Dmitro Lisnichenko and Sumit Mohanty.
Bugs: AMBARI-5289
https://issues.apache.org/jira/browse/AMBARI-5289
Repository: ambari
Description
-------
1.
For hive server2 startup commandline option, ambari should specify the following configuration values:
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
2.
Ambari has been specifying the config hive.metastore.uris="" . It would be better to stop specifying this. With changes in hive security, there is some overhead of using embedded metastore from hive-server2.
3.
There is a new config parameter "hive.users.in.admin.role" that is important to security. If user is specified as value of this config, that user has superuser privileges (meant for a user playing the DBA role).
This should be set in hive-site.xml (used by metastore server). If it's set a default admin for any other service we can do the same here.
Diffs (updated)
-----
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh fa90c2f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py 0990530
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py 520343b
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml e28a4f2
ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py 503418b
Diff: https://reviews.apache.org/r/19851/diff/
Testing
-------
OK
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Ambari Main ....................................... SUCCESS [0.068s]
[INFO] Apache Ambari Project POM ......................... SUCCESS [0.029s]
[INFO] Ambari Web ........................................ SUCCESS [8.621s]
[INFO] Ambari Views ...................................... SUCCESS [1.792s]
[INFO] Ambari Server ..................................... SUCCESS [13:40.706s]
[INFO] Ambari Agent ...................................... SUCCESS [11.798s]
[INFO] Ambari Client ..................................... SUCCESS [0.544s]
Thanks,
Dmytro Sen
Re: Review Request 19851: HiveServer2 default security configuration changes
Posted by Dmitro Lisnichenko <dl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19851/#review39054
-----------------------------------------------------------
Generally looks good.
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2
<https://reviews.apache.org/r/19851/#comment71441>
How about integrating all commands into python script to get rid of additional shell script that is regenerated multiple times?
- Dmitro Lisnichenko
On March 31, 2014, 4 p.m., Dmytro Sen wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/19851/
> -----------------------------------------------------------
>
> (Updated March 31, 2014, 4 p.m.)
>
>
> Review request for Ambari, Dmitro Lisnichenko and Sumit Mohanty.
>
>
> Bugs: AMBARI-5289
> https://issues.apache.org/jira/browse/AMBARI-5289
>
>
> Repository: ambari
>
>
> Description
> -------
>
> 1.
> For hive server2 startup commandline option, ambari should specify the following configuration values:
> -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
> -hiveconf hive.security.authorization.enabled=true
> -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
> 2.
> Ambari has been specifying the config hive.metastore.uris="" . It would be better to stop specifying this. With changes in hive security, there is some overhead of using embedded metastore from hive-server2.
> 3.
> There is a new config parameter "hive.users.in.admin.role" that is important to security. If user is specified as value of this config, that user has superuser privileges (meant for a user playing the DBA role).
> This should be set in hive-site.xml (used by metastore server). If it's set a default admin for any other service we can do the same here.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh fa90c2f
> ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py e1ef61f
> ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py 52ba5c5
> ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 PRE-CREATION
> ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml 2d8a86d
> ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py 57e6bb8
>
> Diff: https://reviews.apache.org/r/19851/diff/
>
>
> Testing
> -------
>
> OK
> [INFO] ------------------------------------------------------------------------
> [INFO] Reactor Summary:
> [INFO]
> [INFO] Ambari Main ....................................... SUCCESS [0.068s]
> [INFO] Apache Ambari Project POM ......................... SUCCESS [0.029s]
> [INFO] Ambari Web ........................................ SUCCESS [8.621s]
> [INFO] Ambari Views ...................................... SUCCESS [1.792s]
> [INFO] Ambari Server ..................................... SUCCESS [13:40.706s]
> [INFO] Ambari Agent ...................................... SUCCESS [11.798s]
> [INFO] Ambari Client ..................................... SUCCESS [0.544s]
>
>
> Thanks,
>
> Dmytro Sen
>
>
Re: Review Request 19851: HiveServer2 default security configuration changes
Posted by Dmytro Sen <ds...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19851/
-----------------------------------------------------------
(Updated March 31, 2014, 4 p.m.)
Review request for Ambari, Dmitro Lisnichenko and Sumit Mohanty.
Bugs: AMBARI-5289
https://issues.apache.org/jira/browse/AMBARI-5289
Repository: ambari
Description
-------
1.
For hive server2 startup commandline option, ambari should specify the following configuration values:
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
2.
Ambari has been specifying the config hive.metastore.uris="" . It would be better to stop specifying this. With changes in hive security, there is some overhead of using embedded metastore from hive-server2.
3.
There is a new config parameter "hive.users.in.admin.role" that is important to security. If user is specified as value of this config, that user has superuser privileges (meant for a user playing the DBA role).
This should be set in hive-site.xml (used by metastore server). If it's set a default admin for any other service we can do the same here.
Diffs
-----
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh fa90c2f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py e1ef61f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py 52ba5c5
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml 2d8a86d
ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py 57e6bb8
Diff: https://reviews.apache.org/r/19851/diff/
Testing
-------
OK
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Ambari Main ....................................... SUCCESS [0.068s]
[INFO] Apache Ambari Project POM ......................... SUCCESS [0.029s]
[INFO] Ambari Web ........................................ SUCCESS [8.621s]
[INFO] Ambari Views ...................................... SUCCESS [1.792s]
[INFO] Ambari Server ..................................... SUCCESS [13:40.706s]
[INFO] Ambari Agent ...................................... SUCCESS [11.798s]
[INFO] Ambari Client ..................................... SUCCESS [0.544s]
Thanks,
Dmytro Sen
Re: Review Request 19851: HiveServer2 default security configuration changes
Posted by Dmytro Sen <ds...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19851/
-----------------------------------------------------------
(Updated March 31, 2014, 3:59 p.m.)
Review request for Ambari, Dmitro Lisnichenko and Sumit Mohanty.
Bugs: AMBARI-5289
https://issues.apache.org/jira/browse/AMBARI-5289
Repository: ambari
Description
-------
1.
For hive server2 startup commandline option, ambari should specify the following configuration values:
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
2.
Ambari has been specifying the config hive.metastore.uris="" . It would be better to stop specifying this. With changes in hive security, there is some overhead of using embedded metastore from hive-server2.
3.
There is a new config parameter "hive.users.in.admin.role" that is important to security. If user is specified as value of this config, that user has superuser privileges (meant for a user playing the DBA role).
This should be set in hive-site.xml (used by metastore server). If it's set a default admin for any other service we can do the same here.
Diffs
-----
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh fa90c2f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py e1ef61f
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py 52ba5c5
ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2 PRE-CREATION
ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml 2d8a86d
ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py 57e6bb8
Diff: https://reviews.apache.org/r/19851/diff/
Testing (updated)
-------
OK
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Ambari Main ....................................... SUCCESS [0.068s]
[INFO] Apache Ambari Project POM ......................... SUCCESS [0.029s]
[INFO] Ambari Web ........................................ SUCCESS [8.621s]
[INFO] Ambari Views ...................................... SUCCESS [1.792s]
[INFO] Ambari Server ..................................... SUCCESS [13:40.706s]
[INFO] Ambari Agent ...................................... SUCCESS [11.798s]
[INFO] Ambari Client ..................................... SUCCESS [0.544s]
Thanks,
Dmytro Sen