Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-19900

HiveCLI HoS Performs Invalid Impersonation If User Name Truncated

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Workaround
    • Affects Version/s: 1.2.2, 3.0.0, 2.3.2, 4.0.0
    • Fix Version/s: None
    • Component/s: CLI, Spark
    • Labels:
      None

      Description

      The HiveCLI HoS code relies on the system property user.name when performing impersonations. The code decides to do an impersonation if the user.name system property does not match the current user who is launching the HiveCLI client.  However, when confronted with a long user name, some shells and linux distros may opt to truncate the user name to a certain size to conserve screen space. In these scenarios, the current user name does not match the user.name system property and never will, so impersonation will always happen, even though the user is trying to impersonate themselves. If YARN is not setup to allow the current user to impersonate, YARN will reject the request.

          if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
            try {
              String currentUser = Utils.getUGI().getShortUserName();
              // do not do impersonation in CLI mode
              if (!currentUser.equals(System.getProperty("user.name"))) {
                LOG.info("Attempting impersonation of " + currentUser);
                addProxyUser(currentUser);
              }
            } catch (Exception e) {
              String msg = "Cannot obtain username: " + e;
              throw new IllegalStateException(msg, e);
            }
          }
      

       

      https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366

      Assuming a kerberos enabled environment, the error message in the YARN Resource Manager will be:

      my-really-really-long-user-name@HADOOP.DOMAIN.COM is not allowed to impersonate my-really-really-long-user-name
      

        Attachments

          Activity

            People

            • Assignee:
              belugabehr David Mollitor
              Reporter:
              belugabehr David Mollitor
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: