You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "BELUGA BEHR (JIRA)" <ji...@apache.org> on 2018/06/14 21:51:00 UTC

[jira] [Comment Edited] (HIVE-19900) HiveCLI HoS Performs Invalid Impersonation If User Name Truncated

    [ https://issues.apache.org/jira/browse/HIVE-19900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16513040#comment-16513040 ] 

BELUGA BEHR edited comment on HIVE-19900 at 6/14/18 9:50 PM:
-------------------------------------------------------------

This only affects the deprecated HiveCLI and only applies to HoS.  The workaround is to use shorter user names when necessary.


was (Author: belugabehr):
This only effects the deprecated HiveCLI and the workaround is to use shorter user names when necessary.

> HiveCLI HoS Performs Invalid Impersonation If User Name Truncated
> -----------------------------------------------------------------
>
>                 Key: HIVE-19900
>                 URL: https://issues.apache.org/jira/browse/HIVE-19900
>             Project: Hive
>          Issue Type: Improvement
>          Components: CLI, Spark
>    Affects Versions: 1.2.2, 3.0.0, 2.3.2, 4.0.0
>            Reporter: BELUGA BEHR
>            Assignee: BELUGA BEHR
>            Priority: Minor
>             Fix For: 1.2.3, 2.3.3, 4.0.0
>
>
> The HiveCLI HoS code relies on the system property {{user.name}} when performing impersonations. The code decides to do an impersonation if the {{user.name}} system property does not match the current user who is launching the HiveCLI client.  However, when confronted with a long user name, some shells and linux distros may opt to truncate the user name to a certain size to conserve screen space. In these scenarios, the current user name does not match the {{user.name}} system property and never will, so impersonation will always happen, even though the user is trying to impersonate themselves. If YARN is not setup to allow the current user to impersonate, YARN will reject the request.
> {code:java}
>     if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
>       try {
>         String currentUser = Utils.getUGI().getShortUserName();
>         // do not do impersonation in CLI mode
>         if (!currentUser.equals(System.getProperty("user.name"))) {
>           LOG.info("Attempting impersonation of " + currentUser);
>           addProxyUser(currentUser);
>         }
>       } catch (Exception e) {
>         String msg = "Cannot obtain username: " + e;
>         throw new IllegalStateException(msg, e);
>       }
>     }
> {code}
>  
> [https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366]
> Assuming a kerberos enabled environment, the error message in the YARN Resource Manager will be:
> {code:java}
> my-really-really-long-user-name@HADOOP.DOMAIN.COM is not allowed to impersonate my-really-really-long-user-name
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)