You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2018/10/23 18:25:00 UTC

[jira] [Comment Edited] (HIVE-14898) HS2 shouldn't log callstack for an empty auth header error

    [ https://issues.apache.org/jira/browse/HIVE-14898?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16661093#comment-16661093 ] 

Kevin Risden edited comment on HIVE-14898 at 10/23/18 6:24 PM:
---------------------------------------------------------------

I think this is a bandaid for actually addressing the root cause. The way the code flows is that there is a try/catch for something that HS2 can short circuit a lot sooner. 

An example of this improvement in HBase from HBASE-19852:

[https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java#L94]

This could be done much earlier in the code flow here:

[https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java#L155]

 


was (Author: risdenk):
I think this is a bandaid for actually addressing the root cause. The way the code flows is that there is a try/catch for something that HS2 can short circuit a lot sooner. 

An example of this improvement in HBase:

[https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftHttpServlet.java#L94]

This could be done much earlier in the code flow here:

[https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java#L155]

 

> HS2 shouldn't log callstack for an empty auth header error
> ----------------------------------------------------------
>
>                 Key: HIVE-14898
>                 URL: https://issues.apache.org/jira/browse/HIVE-14898
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Daniel Dai
>            Priority: Major
>             Fix For: 4.0.0
>
>         Attachments: HIVE-14898.1.patch
>
>
> Currently when the auth header is not sent by the client (Knox seems to do this every time - it only adds auth header after receiving 401), HS2 logs the following twice, for two principals.
> The callstack is useless because this is an expected condition and 401 is returned to the client.
> {noformat}
> 2016-10-05 15:32:02,408 ERROR [HiveServer2-HttpHandler-Pool: Thread-199]: thrift.ThriftHttpServlet (ThriftHttpServlet.java:doKerberosAuth(169)) - Failed to authenticate with hive/_HOST kerberos principal
> 2016-10-05 15:32:02,408 ERROR [HiveServer2-HttpHandler-Pool: Thread-199]: thrift.ThriftHttpServlet (ThriftHttpServlet.java:doPost(104)) - Error: 
> org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:170)
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:83)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
> 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565)
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
> 	at org.eclipse.jetty.server.Server.handle(Server.java:349)
> 	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
> 	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
> 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:952)
> 	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> 	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.reflect.UndeclaredThrowableException
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1686)
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:167)
> 	... 23 more
> Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty.
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(ThriftHttpServlet.java:311)
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(ThriftHttpServlet.java:59)
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:212)
> 	at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:175)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> 	... 24 more
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)