You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Vugar Karimli (JIRA)" <ji...@apache.org> on 2017/08/04 14:06:00 UTC

[jira] [Created] (HIVE-17252) Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode

Vugar Karimli created HIVE-17252:
------------------------------------

             Summary: Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
                 Key: HIVE-17252
                 URL: https://issues.apache.org/jira/browse/HIVE-17252
             Project: Hive
          Issue Type: Bug
    Affects Versions: 1.1.0
            Reporter: Vugar Karimli


Hi,

I am using Hive version 1.1.0 with Hadoop 2.6.0. As you know when Kerberos and Sentry is enabled in hadoop cluster HiveServer2 user impersonation should be turned of (hive.server2.enable.doAs=false) to force all queries in background to be executed by hive user instead of logged in user. 

In this case by default HiveServer2 takes into account Fair Scheduler and sets mapreduce.job.queuename parameter according to logged in Hive username and correctly executes query in user's YARN queue. For example, in root.users.user_name queue.

But problem here is any user can modify mapreduce.job.queuename parameter setting other user's queue name (set mapreduce.job.queuename=root.users.other_user_name) and execute query in another user's YARN queue. Here YARN queue's ACL also doesn't help, because all queries are executed by hive user in YARN not by logged in user.

Is it possible to prevent HiveServer2 users changing mapreduce.job.queuename parameter?

Best Regards,
Vugar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)