diff --git itests/hive-unit/src/test/java/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java itests/hive-unit/src/test/java/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java index 7ac7ebc..c85c200 100644 --- itests/hive-unit/src/test/java/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java +++ itests/hive-unit/src/test/java/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java @@ -226,6 +226,7 @@ public void testDelegationTokenSharedStore() throws Exception { public void testSaslWithHiveMetaStore() throws Exception { setup(); UserGroupInformation clientUgi = UserGroupInformation.getCurrentUser(); + setGroupsInConf(clientUgi.getGroupNames(), clientUgi.getShortUserName()); obtainTokenAndAddIntoUGI(clientUgi, null); obtainTokenAndAddIntoUGI(clientUgi, "tokenForFooTablePartition"); } diff --git shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java index dc89de1..ec0de16 100644 --- shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java +++ shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java @@ -570,6 +570,9 @@ public boolean process(final TProtocol inProt, final TProtocol outProt) throws T if (useProxy) { clientUgi = UserGroupInformation.createProxyUser( endUser, UserGroupInformation.getLoginUser()); + // ensure that metastore user has privilege to impersonate the requesting user + ProxyUsers.authorize(clientUgi, + getRemoteAddress().getHostAddress(), null); remoteUser.set(clientUgi.getShortUserName()); return clientUgi.doAs(new PrivilegedExceptionAction() { public Boolean run() {