You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by Thejas Nair <th...@hortonworks.com> on 2014/04/22 23:32:41 UTC

Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
-----------------------------------------------------------

Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Bugs: HIVE-6957
    https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
-------

In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short usernames.
This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.


Diffs
-----

  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java PRE-CREATION 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
-------

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Posted by Vaibhav Gumashta <vg...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/#review41224
-----------------------------------------------------------



itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java
<https://reviews.apache.org/r/20578/#comment74663>

    Should we add another test when HiveServer2 is running in http mode (since username is set in a different way in binary/http mode)?



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
<https://reviews.apache.org/r/20578/#comment74659>

    I was thinking we should start adding more docs to the code in general to explain the intent. For example, we can add a little note here.  



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
<https://reviews.apache.org/r/20578/#comment74660>

    Similar to above comment, we can add a note here to call out the intent.



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
<https://reviews.apache.org/r/20578/#comment74661>

    Should we log the short username at debug level?


- Vaibhav Gumashta


On April 22, 2014, 9:32 p.m., Thejas Nair wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/20578/
> -----------------------------------------------------------
> 
> (Updated April 22, 2014, 9:32 p.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6957
>     https://issues.apache.org/jira/browse/HIVE-6957
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short usernames.
> This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.
> 
> 
> Diffs
> -----
> 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java PRE-CREATION 
>   shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 
> 
> Diff: https://reviews.apache.org/r/20578/diff/
> 
> 
> Testing
> -------
> 
> Unit test included.
> 
> 
> Thanks,
> 
> Thejas Nair
> 
>

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Posted by Thejas Nair <th...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
-----------------------------------------------------------

(Updated April 25, 2014, 12:36 a.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
-------

HIVE-6957.4.patch - rename the abstract base test class to *Test.java


Bugs: HIVE-6957
    https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
-------

In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short usernames.
This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.


Diffs (updated)
-----

  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuthTest.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java d08bfde 
  itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
-------

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Posted by Vaibhav Gumashta <vg...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/#review41424
-----------------------------------------------------------

Ship it!


Ship It!

- Vaibhav Gumashta


On April 24, 2014, 11:21 p.m., Thejas Nair wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/20578/
> -----------------------------------------------------------
> 
> (Updated April 24, 2014, 11:21 p.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6957
>     https://issues.apache.org/jira/browse/HIVE-6957
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short usernames.
> This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.
> 
> 
> Diffs
> -----
> 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java PRE-CREATION 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java PRE-CREATION 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java PRE-CREATION 
>   itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java d08bfde 
>   itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
>   shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 
> 
> Diff: https://reviews.apache.org/r/20578/diff/
> 
> 
> Testing
> -------
> 
> Unit test included.
> 
> 
> Thanks,
> 
> Thejas Nair
> 
>

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Posted by Thejas Nair <th...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
-----------------------------------------------------------

(Updated April 24, 2014, 11:21 p.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
-------

3.patch - fixing TestSSL failures because of change in MiniHS2


Bugs: HIVE-6957
    https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
-------

In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short usernames.
This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.


Diffs (updated)
-----

  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java d08bfde 
  itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
-------

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

Posted by Thejas Nair <th...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
-----------------------------------------------------------

(Updated April 24, 2014, 10:19 p.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
-------

adding http mode test, debug log


Bugs: HIVE-6957
    https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
-------

In HiveServer2, when Kerberos auth and binary transport modes are used, the user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short usernames.
This also fails in authorizing statements that involve URI, as the authorization mode checks the file system permissions for given user. It does not recognize that the given long username actually owns the file or belongs to the group that owns the file.


Diffs (updated)
-----

  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java f7ec93d 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java 62bfa1e 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java d08bfde 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
-------

Unit test included.


Thanks,

Thejas Nair