You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Vaibhav Gumashta (JIRA)" <ji...@apache.org> on 2014/10/10 00:03:34 UTC

[jira] [Updated] (HIVE-6857) Refactor HiveServer2 TSetIpAddressProcessor

     [ https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vaibhav Gumashta updated HIVE-6857:
-----------------------------------
    Fix Version/s: 0.15.0

> Refactor HiveServer2 TSetIpAddressProcessor
> -------------------------------------------
>
>                 Key: HIVE-6857
>                 URL: https://issues.apache.org/jira/browse/HIVE-6857
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Vaibhav Gumashta
>            Assignee: Vaibhav Gumashta
>             Fix For: 0.15.0
>
>
> Excerpt from HIVE-6837 and related issues:
> 1. SessionManager#openSession:
> {code}
> public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
>       Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
>           throws HiveSQLException {
>     HiveSession session;
>     if (withImpersonation) {
>       HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
>         hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
>       session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
>       hiveSessionUgi.setProxySession(session);
>     } else {
>       session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
>           TSetIpAddressProcessor.getUserIpAddress());
>     }
>     session.setSessionManager(this);
>     session.setOperationManager(operationManager);
>     session.open();
>     handleToSession.put(session.getSessionHandle(), session);
>     try {
>       executeSessionHooks(session);
>     } catch (Exception e) {
>       throw new HiveSQLException("Failed to execute session hooks", e);
>     }
>     return session.getSessionHandle();
>   }
> {code}
> Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
> 2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> 3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.
> 4. Consolidate thread locals used for username, ipaddress
> 5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
> https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)