Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-6857

Refactor HiveServer2 TSetIpAddressProcessor

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • HiveServer2
    • None

    Description

      Excerpt from HIVE-6837 and related issues:
      1. SessionManager#openSession:

      public SessionHandle openSession(TProtocolVersion protocol, String username, String password,
      Map<String, String> sessionConf, boolean withImpersonation, String delegationToken)
          throws HiveSQLException {
    HiveSession session;
    if (withImpersonation) {
      HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password,
        hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(), delegationToken);
      session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi());
      hiveSessionUgi.setProxySession(session);
    } else {
      session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf,
          TSetIpAddressProcessor.getUserIpAddress());
    }
    session.setSessionManager(this);
    session.setOperationManager(operationManager);
    session.open();
    handleToSession.put(session.getSessionHandle(), session);

    try {
      executeSessionHooks(session);
    } catch (Exception e) {
      throw new HiveSQLException("Failed to execute session hooks", e);
    }
    return session.getSessionHandle();
  }

      Notice that if withImpersonation is set to true, we're using TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).

      2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs (with UGI of the HiveServer2 process) which doesn't make sense to me: https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.

      3. The name TSetIpAddressProcessor should be replaced with something more meaningful like TPlainSASLProcessor.

      4. Consolidate thread locals used for username, ipaddress

      5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
      https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-6837 HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              vgumashta Vaibhav Gumashta
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: