You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/09/13 11:01:00 UTC

[jira] [Updated] (HIVE-27517) SessionState is not correctly initialized when hive.security.authorization.createtable.group.grants is set to automatically grant privileges

     [ https://issues.apache.org/jira/browse/HIVE-27517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated HIVE-27517:
----------------------------------
    Labels: pull-request-available  (was: )

> SessionState is not correctly initialized when hive.security.authorization.createtable.group.grants is set to automatically grant privileges
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27517
>                 URL: https://issues.apache.org/jira/browse/HIVE-27517
>             Project: Hive
>          Issue Type: Bug
>            Reporter: ConfX
>            Priority: Critical
>              Labels: pull-request-available
>         Attachments: reproduce.sh
>
>
> h2. What happened:
> When set {{hive.security.authorization.createtable.group.grants}} to some value, the grant may not be able to successfully apply to specified groups due to incorrect {{SessionState}} initialization and crashes the system.
> h2. Buggy code:
> When call {{getAuthenticator()}} method from {{SessionState}} class, it first executes {{{}setupAuth(){}}}, which setup authentication and authorization plugins for this session.
> {noformat}
> /**
>  * Setup authentication and authorization plugins for this session.
>  */
> private synchronized void setupAuth() {
>   ...
>   // create the create table grants with new config
>   createTableGrants = CreateTableAutomaticGrant.create(sessionConf);
>   ...
> }{noformat}
> In the table grants creation, the {{sessionConf}} sets group grant with {{{}getGrantMap(){}}}. This method will validate privilege with {{getPrivilege}} method and eventually {{getPrivilegeFromRegistry}} method will be executed.
> {noformat}
>  private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
>     return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype);
>   }{noformat}
> However, {{ SessionState.get()}} can be null because the state may not be correctly initialized.
> In {{{}SessionState.java{}}}, {{get()}} method returns {{{}tss.get().state{}}}. If the current thread does not have SessionStates initialized, then {{get()}} will try to create a new SessionStates by calling {{initialValue()}} below. This calls the default constructor of the {{SessionSatets}} class, which does not initialize the {{SessionState}} field and {{HiveConf}} field.
> {noformat}
> /**
>  * get the current session.
>  */
> public static SessionState get() {
>   return tss.get().state;
> }/**
>  * Singleton Session object per thread.
>  *
>  **/
> private static ThreadLocal<SessionStates> tss = new ThreadLocal<SessionStates>() {
>   @Override
>   protected SessionStates initialValue() {
>     return new SessionStates();
>   }
> };private static class SessionStates {
>   private SessionState state;
>   private HiveConf conf;
>   private void attach(SessionState state) {
>     this.state = state;
>     attach(state.getConf());
>   }
>   private void attach(HiveConf conf) {
>     this.conf = conf;    ClassLoader classLoader = conf.getClassLoader();
>     if (classLoader != null) {
>       Thread.currentThread().setContextClassLoader(classLoader);
>     }
>   }
> }{noformat}
> h2. How to reproduce:
> (1) Set {{hive.security.authorization.createtable.group.grants}} to some value, e.g. {{abc,def:create;xlab,tyx:all;}}
> (2) Run test {{org.apache.hadoop.hive.ql.parse.authorization.TestSessionUserName#testSessionGetGroupNames}}
> h2. StackTrace:
> {noformat}
> java.lang.NullPointerException                                                                     
>         at org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilegeFromRegistry(PrivilegeRegistry.java:77)
>         at org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilege(PrivilegeRegistry.java:72)
>         at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.validatePrivilege(CreateTableAutomaticGrant.java:108)
>         at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantorInfoList(CreateTableAutomaticGrant.java:91)
>         at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantMap(CreateTableAutomaticGrant.java:73)
>         at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.create(CreateTableAutomaticGrant.java:47)
>         at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:996)
>         at org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1744)
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)