You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Vaibhav Gumashta (JIRA)" <ji...@apache.org> on 2014/04/08 09:02:15 UTC
[jira] [Updated] (HIVE-6857) Consolidate HiveServer2 threadlocals
[ https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vaibhav Gumashta updated HIVE-6857:
-----------------------------------
Description:
Excerpt HIVE-6837. Issues:
1. SessionManager#openSession:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
throws HiveSQLException {
HiveSession session;
if (withImpersonation) {
HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
hiveSessionUgi.setProxySession(session);
} else {
session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
TSetIpAddressProcessor.getUserIpAddress());
}
session.setSessionManager(this);
session.setOperationManager(operationManager);
session.open();
handleToSession.put(session.getSessionHandle(), session);
try {
executeSessionHooks(session);
} catch (Exception e) {
throw new HiveSQLException("Failed to execute session hooks", e);
}
return session.getSessionHandle();
}
{code}
Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.
4. Consolidate thread locals used for username, ipaddress
5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
was:Check the discussion here: HIVE-6837
> Consolidate HiveServer2 threadlocals
> ------------------------------------
>
> Key: HIVE-6857
> URL: https://issues.apache.org/jira/browse/HIVE-6857
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Reporter: Vaibhav Gumashta
> Assignee: Vaibhav Gumashta
>
> Excerpt HIVE-6837. Issues:
> 1. SessionManager#openSession:
> {code}
> public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
> Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
> throws HiveSQLException {
> HiveSession session;
> if (withImpersonation) {
> HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
> hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
> session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
> hiveSessionUgi.setProxySession(session);
> } else {
> session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
> TSetIpAddressProcessor.getUserIpAddress());
> }
> session.setSessionManager(this);
> session.setOperationManager(operationManager);
> session.open();
> handleToSession.put(session.getSessionHandle(), session);
> try {
> executeSessionHooks(session);
> } catch (Exception e) {
> throw new HiveSQLException("Failed to execute session hooks", e);
> }
> return session.getSessionHandle();
> }
> {code}
> Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
> 2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> 3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.
> 4. Consolidate thread locals used for username, ipaddress
> 5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
> https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
--
This message was sent by Atlassian JIRA
(v6.2#6252)