Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Excerpt from HIVE-6837 and related issues:
1. SessionManager#openSession:
public SessionHandle openSession(TProtocolVersion protocol, String username, String password, Map<String, String> sessionConf, boolean withImpersonation, String delegationToken) throws HiveSQLException { HiveSession session; if (withImpersonation) { HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password, hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken); session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi()); hiveSessionUgi.setProxySession(session); } else { session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress()); } session.setSessionManager(this); session.setOperationManager(operationManager); session.open(); handleToSession.put(session.getSessionHandle(), session); try { executeSessionHooks(session); } catch (Exception e) { throw new HiveSQLException("Failed to execute session hooks", e); } return session.getSessionHandle(); }
Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.
4. Consolidate thread locals used for username, ipaddress
5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
Attachments
Issue Links
- is related to
-
HIVE-6837 HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client
- Resolved