You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/09/13 11:01:00 UTC
[jira] [Updated] (HIVE-27517) SessionState is not correctly initialized when hive.security.authorization.createtable.group.grants is set to automatically grant privileges
[ https://issues.apache.org/jira/browse/HIVE-27517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated HIVE-27517:
----------------------------------
Labels: pull-request-available (was: )
> SessionState is not correctly initialized when hive.security.authorization.createtable.group.grants is set to automatically grant privileges
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-27517
> URL: https://issues.apache.org/jira/browse/HIVE-27517
> Project: Hive
> Issue Type: Bug
> Reporter: ConfX
> Priority: Critical
> Labels: pull-request-available
> Attachments: reproduce.sh
>
>
> h2. What happened:
> When set {{hive.security.authorization.createtable.group.grants}} to some value, the grant may not be able to successfully apply to specified groups due to incorrect {{SessionState}} initialization and crashes the system.
> h2. Buggy code:
> When call {{getAuthenticator()}} method from {{SessionState}} class, it first executes {{{}setupAuth(){}}}, which setup authentication and authorization plugins for this session.
> {noformat}
> /**
> * Setup authentication and authorization plugins for this session.
> */
> private synchronized void setupAuth() {
> ...
> // create the create table grants with new config
> createTableGrants = CreateTableAutomaticGrant.create(sessionConf);
> ...
> }{noformat}
> In the table grants creation, the {{sessionConf}} sets group grant with {{{}getGrantMap(){}}}. This method will validate privilege with {{getPrivilege}} method and eventually {{getPrivilegeFromRegistry}} method will be executed.
> {noformat}
> private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
> return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype);
> }{noformat}
> However, {{ SessionState.get()}} can be null because the state may not be correctly initialized.
> In {{{}SessionState.java{}}}, {{get()}} method returns {{{}tss.get().state{}}}. If the current thread does not have SessionStates initialized, then {{get()}} will try to create a new SessionStates by calling {{initialValue()}} below. This calls the default constructor of the {{SessionSatets}} class, which does not initialize the {{SessionState}} field and {{HiveConf}} field.
> {noformat}
> /**
> * get the current session.
> */
> public static SessionState get() {
> return tss.get().state;
> }/**
> * Singleton Session object per thread.
> *
> **/
> private static ThreadLocal<SessionStates> tss = new ThreadLocal<SessionStates>() {
> @Override
> protected SessionStates initialValue() {
> return new SessionStates();
> }
> };private static class SessionStates {
> private SessionState state;
> private HiveConf conf;
> private void attach(SessionState state) {
> this.state = state;
> attach(state.getConf());
> }
> private void attach(HiveConf conf) {
> this.conf = conf; ClassLoader classLoader = conf.getClassLoader();
> if (classLoader != null) {
> Thread.currentThread().setContextClassLoader(classLoader);
> }
> }
> }{noformat}
> h2. How to reproduce:
> (1) Set {{hive.security.authorization.createtable.group.grants}} to some value, e.g. {{abc,def:create;xlab,tyx:all;}}
> (2) Run test {{org.apache.hadoop.hive.ql.parse.authorization.TestSessionUserName#testSessionGetGroupNames}}
> h2. StackTrace:
> {noformat}
> java.lang.NullPointerException
> at org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilegeFromRegistry(PrivilegeRegistry.java:77)
> at org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilege(PrivilegeRegistry.java:72)
> at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.validatePrivilege(CreateTableAutomaticGrant.java:108)
> at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantorInfoList(CreateTableAutomaticGrant.java:91)
> at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantMap(CreateTableAutomaticGrant.java:73)
> at org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.create(CreateTableAutomaticGrant.java:47)
> at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:996)
> at org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1744)
> {noformat}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)