You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Vugar Karimli (JIRA)" <ji...@apache.org> on 2017/08/04 14:06:00 UTC
[jira] [Created] (HIVE-17252) Insecure YARN Fair Scheduler when
using HiveServer2 non-impersonation mode
Vugar Karimli created HIVE-17252:
------------------------------------
Summary: Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
Key: HIVE-17252
URL: https://issues.apache.org/jira/browse/HIVE-17252
Project: Hive
Issue Type: Bug
Affects Versions: 1.1.0
Reporter: Vugar Karimli
Hi,
I am using Hive version 1.1.0 with Hadoop 2.6.0. As you know when Kerberos and Sentry is enabled in hadoop cluster HiveServer2 user impersonation should be turned of (hive.server2.enable.doAs=false) to force all queries in background to be executed by hive user instead of logged in user.
In this case by default HiveServer2 takes into account Fair Scheduler and sets mapreduce.job.queuename parameter according to logged in Hive username and correctly executes query in user's YARN queue. For example, in root.users.user_name queue.
But problem here is any user can modify mapreduce.job.queuename parameter setting other user's queue name (set mapreduce.job.queuename=root.users.other_user_name) and execute query in another user's YARN queue. Here YARN queue's ACL also doesn't help, because all queries are executed by hive user in YARN not by logged in user.
Is it possible to prevent HiveServer2 users changing mapreduce.job.queuename parameter?
Best Regards,
Vugar.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)