Hive
  1. Hive
  2. HIVE-6800

HiveServer2 is not passing proxy user setting through hive-site

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.13.0
    • Fix Version/s: 0.13.0
    • Component/s: HiveServer2
    • Labels:
      None

      Description

      Setting the following in core-site.xml works fine in a secure cluster with hive.server2.allow.user.substitution set to true:

      <property>
        <name>hadoop.proxyuser.user1.groups</name>
        <value>users</value>
      </property>
          
      <property>
        <name>hadoop.proxyuser.user1.hosts</name>
        <value>*</value>
      </property>
      

      where user1 will be proxying for user2:

      !connect jdbc:hive2:/myhostname:10000/;principal=hive/_HOST@EXAMPLE.COM;hive.server2.proxy.user=user2 user1 fakepwd org.apache.hive.jdbc.HiveDriver
      

      However, setting this in hive-site.xml throws "Failed to validate proxy privilage" exception.

      1. HIVE-6800.1.patch
        0.8 kB
        Vaibhav Gumashta

        Issue Links

          Activity

          Hide
          Vaibhav Gumashta added a comment -
          Show
          Vaibhav Gumashta added a comment - cc Thejas M Nair Prasad Mujumdar Harish Butani Bug for 13! Thanks!
          Hide
          Hive QA added a comment -

          Overall: -1 at least one tests failed

          Here are the results of testing the latest attachment:
          https://issues.apache.org/jira/secure/attachment/12637963/HIVE-6800.1.patch

          ERROR: -1 due to 1 failed/errored test(s), 5513 tests executed
          Failed tests:

          org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_infer_bucket_sort_dyn_part
          

          Test results: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/2059/testReport
          Console output: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/2059/console

          Messages:

          Executing org.apache.hive.ptest.execution.PrepPhase
          Executing org.apache.hive.ptest.execution.ExecutionPhase
          Executing org.apache.hive.ptest.execution.ReportingPhase
          Tests exited with: TestsFailedException: 1 tests failed
          

          This message is automatically generated.

          ATTACHMENT ID: 12637963

          Show
          Hive QA added a comment - Overall : -1 at least one tests failed Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12637963/HIVE-6800.1.patch ERROR: -1 due to 1 failed/errored test(s), 5513 tests executed Failed tests: org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_infer_bucket_sort_dyn_part Test results: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/2059/testReport Console output: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/2059/console Messages: Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 1 tests failed This message is automatically generated. ATTACHMENT ID: 12637963
          Hide
          Prasad Mujumdar added a comment -

          [~vaibhavgumashta] Thanks for fixing the issue. Looks fine to me.
          +1

          Show
          Prasad Mujumdar added a comment - [~vaibhavgumashta] Thanks for fixing the issue. Looks fine to me. +1
          Hide
          Vaibhav Gumashta added a comment -

          Prasad Mujumdar Thanks for taking a look. The failure looks unrelated.

          Show
          Vaibhav Gumashta added a comment - Prasad Mujumdar Thanks for taking a look. The failure looks unrelated.
          Hide
          Thejas M Nair added a comment -

          There is a thread safety issue here, ProxyUsers uses HashMap internally, and refreshSuperUserGroupsConfiguration updates the hashmaps. If it gets updated from two places, it could result in issues like getting stuck in an infinite loop.
          Also, when one thread is calling ProxyUsers.authorize, another thread might clear the hashmap entries as it enters ProxyUsers.refreshSuperUserGroupsConfiguration.
          refreshSuperUserGroupsConfiguration also looks like an expensive operation. I think we would be better to do it just once from HadoopShimsSecure .

          Show
          Thejas M Nair added a comment - There is a thread safety issue here, ProxyUsers uses HashMap internally, and refreshSuperUserGroupsConfiguration updates the hashmaps. If it gets updated from two places, it could result in issues like getting stuck in an infinite loop. Also, when one thread is calling ProxyUsers.authorize, another thread might clear the hashmap entries as it enters ProxyUsers.refreshSuperUserGroupsConfiguration. refreshSuperUserGroupsConfiguration also looks like an expensive operation. I think we would be better to do it just once from HadoopShimsSecure .
          Hide
          Thejas M Nair added a comment -

          Sorry, I take that back, refreshSuperUserGroupsConfiguration and authorize are actually synchronized methods.
          Patch looks good to me.

          I think we should look at doing the refreshSuperUserGroupsConfiguration only once, but that can be part of a follow up jira.

          Show
          Thejas M Nair added a comment - Sorry, I take that back, refreshSuperUserGroupsConfiguration and authorize are actually synchronized methods. Patch looks good to me. I think we should look at doing the refreshSuperUserGroupsConfiguration only once, but that can be part of a follow up jira.
          Hide
          Thejas M Nair added a comment -

          Patch committed to trunk and 0.13 branch.
          Thanks for the contribution Vaibhav, and thanks for the review Prasad!

          Show
          Thejas M Nair added a comment - Patch committed to trunk and 0.13 branch. Thanks for the contribution Vaibhav, and thanks for the review Prasad!
          Hide
          Thejas M Nair added a comment -

          Created HIVE-6851 for the optimization suggested above.

          Show
          Thejas M Nair added a comment - Created HIVE-6851 for the optimization suggested above.

            People

            • Assignee:
              Vaibhav Gumashta
              Reporter:
              Vaibhav Gumashta
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development