You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Abdelrahman Shettia (JIRA)" <ji...@apache.org> on 2015/04/29 05:42:06 UTC

[jira] [Created] (HIVE-10528) Hiveserver2 in HTTP mode is not applying auth_to_local rules

Abdelrahman Shettia created HIVE-10528:
------------------------------------------

             Summary: Hiveserver2 in HTTP mode is not applying auth_to_local rules
                 Key: HIVE-10528
                 URL: https://issues.apache.org/jira/browse/HIVE-10528
             Project: Hive
          Issue Type: Bug
          Components: HiveServer2
    Affects Versions: 0.14.0
         Environment: Centos 6
            Reporter: Abdelrahman Shettia


PROBLEM: Authenticating to HS2 in HTTP mode with Kerberos, auth_to_local mappings do not get applied.  Because of this various permissions checks which rely on the local cluster name for a user are going to fail.


STEPS TO REPRODUCE:

1.  Create  kerberos cluster  and HS2 in HTTP mode
2.  Create a new user, test, along with a kerberos principal for this user
3.  Create a separate principal, mapped-test
4.  Create an auth_to_local rule to make sure that mapped-test is mapped to test
5.  As the test user, connect to HS2 with beeline and create a simple table:

{code}
CREATE TABLE permtest (field1 int);
{code}

There is no need to load anything into this table.

6.  Establish that it works as the test user:

{code}
show create table permtest;
{code}

7.  Drop the test identity and become mapped-test
8.  Re-connect to HS2 with beeline, re-run the above command:
{code}
show create table permtest;
{code}

You will find that when this is done in HTTP mode, you will get an HDFS error (because of StorageBasedAuthorization doing a HDFS permissions check) and the user will be mapped-test and NOT test as it should be.

ANALYSIS:  This appears to be HTTP specific and the problem seems to come in {{ThriftHttpServlet$HttpKerberosServerAction.getPrincipalWithoutRealmAndHost()}}:

{code}
      try {
        fullKerberosName = ShimLoader.getHadoopShims().getKerberosNameShim(fullPrincipal);
      } catch (IOException e) {
        throw new HttpAuthenticationException(e);
      }
      return fullKerberosName.getServiceName();
{code}

getServiceName applies no auth_to_local rules.  Seems like maybe this should be getShortName()?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)