You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Sergey Shelukhin (JIRA)" <ji...@apache.org> on 2016/04/28 01:25:12 UTC

[jira] [Comment Edited] (HIVE-13446) LLAP: set default management protocol acls to deny all

    [ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261179#comment-15261179 ] 

Sergey Shelukhin edited comment on HIVE-13446 at 4/27/16 11:24 PM:
-------------------------------------------------------------------

{noformat}
    Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will also be used to enforce checking ZK acls.
{noformat}
    Changing the default for "hive.llap.management.acl" to " " instead of "*" seems to be a simpler approach. Afaik, the logged in user will still be allowed access. The default would allow only the logged in user (assuming that works). Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || ... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you comment on this? Does IPC allow the current user to access the service, even if they logged in with keytab as user@BLAH.COM, not user/addr@BLAH.COM? If I understand the code in ServiceAuthorizationManager correctly, it doesn't appear to.


{noformat}
    hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any project outside of Hadoop is supposed to use this in a reliable manner. Maybe define the man acl configuration as a string and add the blocked to it - to prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer? 
This way to build the thing is essentially public since everyone has to use it to configure their services. This setting just adds it to HiveConf. If the name changes, we'd have to change the config name like everyone else; for us, the default will also break, but I think this is not a big deal (and is unavoidable)



was (Author: sershe):
{noformat}
    Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will also be used to enforce checking ZK acls.
{noformat}
    Changing the default for "hive.llap.management.acl" to " " instead of "*" seems to be a simpler approach. Afaik, the logged in user will still be allowed access. The default would allow only the logged in user (assuming that works). Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || ... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you comment on this? Does IPC allow the current user to access the service, even if they logged in with keytab as user@BLAH.COM, not user/addr@BLAH.COM? If I understand the code in ServiceAuthorizationManager correctly, it doesn't appear to.


{noformat}
    hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any project outside of Hadoop is supposed to use this in a reliable manner. Maybe define the man acl configuration as a string and add the blocked to it - to prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer? 


> LLAP: set default management protocol acls to deny all
> ------------------------------------------------------
>
>                 Key: HIVE-13446
>                 URL: https://issues.apache.org/jira/browse/HIVE-13446
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13446.patch
>
>
> The user needs to set the acls.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)