You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Vaibhav Gumashta (JIRA)" <ji...@apache.org> on 2014/04/08 09:02:15 UTC

[jira] [Updated] (HIVE-6857) Consolidate HiveServer2 threadlocals

     [ https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vaibhav Gumashta updated HIVE-6857:
-----------------------------------

    Description: 
Excerpt HIVE-6837. Issues:
1. SessionManager#openSession:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
      Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
          throws HiveSQLException {
    HiveSession session;
    if (withImpersonation) {
      HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
        hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
      session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
      hiveSessionUgi.setProxySession(session);
    } else {
      session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
          TSetIpAddressProcessor.getUserIpAddress());
    }
    session.setSessionManager(this);
    session.setOperationManager(operationManager);
    session.open();
    handleToSession.put(session.getSessionHandle(), session);

    try {
      executeSessionHooks(session);
    } catch (Exception e) {
      throw new HiveSQLException("Failed to execute session hooks", e);
    }
    return session.getSessionHandle();
  }
{code}
Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).

2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.

3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.

4. Consolidate thread locals used for username, ipaddress

5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161

  was:Check the discussion here: HIVE-6837


> Consolidate HiveServer2 threadlocals
> ------------------------------------
>
>                 Key: HIVE-6857
>                 URL: https://issues.apache.org/jira/browse/HIVE-6857
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Vaibhav Gumashta
>            Assignee: Vaibhav Gumashta
>
> Excerpt HIVE-6837. Issues:
> 1. SessionManager#openSession:
> {code}
> public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
>       Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
>           throws HiveSQLException {
>     HiveSession session;
>     if (withImpersonation) {
>       HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
>         hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
>       session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
>       hiveSessionUgi.setProxySession(session);
>     } else {
>       session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
>           TSetIpAddressProcessor.getUserIpAddress());
>     }
>     session.setSessionManager(this);
>     session.setOperationManager(operationManager);
>     session.open();
>     handleToSession.put(session.getSessionHandle(), session);
>     try {
>       executeSessionHooks(session);
>     } catch (Exception e) {
>       throw new HiveSQLException("Failed to execute session hooks", e);
>     }
>     return session.getSessionHandle();
>   }
> {code}
> Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
> 2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> 3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.
> 4. Consolidate thread locals used for username, ipaddress
> 5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
> https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161



--
This message was sent by Atlassian JIRA
(v6.2#6252)