HiveCLI HoS Performs Invalid Impersonation If User Name Truncated

The HiveCLI HoS code relies on the system property user.name when performing impersonations. The code decides to do an impersonation if the user.name system property does not match the current user who is launching the HiveCLI client.  However, when confronted with a long user name, some shells and linux distros may opt to truncate the user name to a certain size to conserve screen space. In these scenarios, the current user name does not match the user.name system property and never will, so impersonation will always happen, even though the user is trying to impersonate themselves. If YARN is not setup to allow the current user to impersonate, YARN will reject the request.

    if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
      try {
        String currentUser = Utils.getUGI().getShortUserName();
        // do not do impersonation in CLI mode
        if (!currentUser.equals(System.getProperty("user.name"))) {
          LOG.info("Attempting impersonation of " + currentUser);
          addProxyUser(currentUser);
        }
      } catch (Exception e) {
        String msg = "Cannot obtain username: " + e;
        throw new IllegalStateException(msg, e);
      }
    }

https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366

Assuming a kerberos enabled environment, the error message in the YARN Resource Manager will be:

my-really-really-long-user-name@HADOOP.DOMAIN.COM is not allowed to impersonate my-really-really-long-user-name