You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2017/12/20 20:49:00 UTC

[jira] [Comment Edited] (HIVE-17853) RetryingMetaStoreClient loses UGI impersonation-context when reconnecting after timeout

    [ https://issues.apache.org/jira/browse/HIVE-17853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16299065#comment-16299065 ] 

Thejas M Nair edited comment on HIVE-17853 at 12/20/17 8:48 PM:
----------------------------------------------------------------

We should also check to see if current user is same as the original UGI user, and not do the ugi.doAs() if it is the same. Otherwise, this can potentially cause problems where the users are not privileged users (ie, there is no intent to do a "doAs").
Without such a check, you would get errors like " userX is not allowed to impersonate userX".



was (Author: thejas):
We should also check to see if current user is same as the original UGI user, and not do the ugi.doAs() if it is the same. Otherwise, this can potentially cause problems where the users are not privileged users (ie, there is no intent to do a "doAs").
You would get errors like " userX is not allowed to impersonate userX".


> RetryingMetaStoreClient loses UGI impersonation-context when reconnecting after timeout
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-17853
>                 URL: https://issues.apache.org/jira/browse/HIVE-17853
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>    Affects Versions: 3.0.0, 2.4.0, 2.2.1
>            Reporter: Mithun Radhakrishnan
>            Assignee: Chris Drome
>            Priority: Critical
>             Fix For: 3.0.0, 2.4.0, 2.2.1
>
>         Attachments: HIVE-17853.01-branch-2.patch, HIVE-17853.01.patch
>
>
> The {{RetryingMetaStoreClient}} is used to automatically reconnect to the Hive metastore, after client timeout, transparently to the user.
> In case of user impersonation (e.g. Oozie super-user {{oozie}} impersonating a Hadoop user {{mithun}}, to run a workflow), in case of timeout, we find that the reconnect causes the {{UGI.doAs()}} context to be lost. Any further metastore operations will be attempted as the login-user ({{oozie}}), as opposed to the effective user ({{mithun}}).
> We should have a fix for this shortly.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)