diff --git common/src/java/org/apache/hadoop/hive/conf/HiveConf.java common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 0bff243..337fcc2 100644 --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -1457,6 +1457,8 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal HIVETEZLOGLEVEL("hive.tez.log.level", "INFO", "The log level to use for tasks executing as part of the DAG.\n" + "Used only if hive.tez.java.opts is used to configure Java options."), + HIVETEZHS2USERACCESS("hive.tez.hs2.user.access", true, + "Whether to grant access to the hs2/hive user for queries"), HIVEQUERYNAME ("hive.query.name", null, "This named is used by Tez to set the dag name. This name in turn will appear on \n" + "the Tez UI representing the work that was done."), diff --git ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java index 62f65c2..1cc881f 100644 --- ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java +++ ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java @@ -41,6 +41,7 @@ import javax.security.auth.login.LoginException; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.io.FilenameUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; @@ -308,6 +309,8 @@ protected void openInternal(final HiveConf conf, Collection additionalFi tezConfig.setInt(TezConfiguration.TEZ_AM_SESSION_MIN_HELD_CONTAINERS, n); } + setupSessionAcls(tezConfig, conf); + final TezClient session = TezClient.newBuilder("HIVE-" + sessionId, tezConfig) .setIsSession(true).setLocalResources(commonLocalResources) .setCredentials(llapCredentials).setServicePluginDescriptor(servicePluginsDescriptor) @@ -433,6 +436,37 @@ public void endOpen() throws InterruptedException, CancellationException { } } + private void setupSessionAcls(Configuration tezConf, HiveConf hiveConf) throws + IOException { + if (HiveConf.getBoolVar(hiveConf, ConfVars.HIVETEZHS2USERACCESS)) { + String tezAclConfig = tezConf.get(TezConfiguration.TEZ_AM_VIEW_ACLS); + if (StringUtils.isBlank(tezAclConfig)) { + String user = SessionState.getUserFromAuthenticator(); + UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); + + String aclString = null; + if (loginUser != null && user !=null) { + if (loginUser.getShortUserName().equals(user)) { + aclString = user; + } else { + aclString = loginUser.getShortUserName() + "," + user; + } + + } else { + // If either is null, not setting anything. SHould not be the case. + LOG.debug( + "Not setting acl string since user/loginUser is null. user={}, loginUser={}", + user, + (loginUser == null ? "null" : loginUser.getShortUserName())); + } + + if (aclString != null) { + tezConf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, aclString); + } + } + } + } + public void refreshLocalResourcesFromConf(HiveConf conf) throws IOException, LoginException, IllegalArgumentException, URISyntaxException, TezException { diff --git ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezTask.java ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezTask.java index 69cbe0b..ec5a8d6 100644 --- ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezTask.java +++ ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezTask.java @@ -33,6 +33,7 @@ import javax.annotation.Nullable; import org.apache.hadoop.classification.InterfaceAudience.Private; +import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.common.metrics.common.Metrics; @@ -57,6 +58,7 @@ import org.apache.hadoop.hive.ql.plan.api.StageType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.mapred.JobConf; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.yarn.api.records.ApplicationReport; import org.apache.hadoop.yarn.api.records.LocalResource; @@ -348,7 +350,7 @@ DAG build(JobConf conf, TezWork work, Path scratchDir, dag.setDAGInfo(dagInfo); dag.setCredentials(conf.getCredentials()); - setAccessControlsForCurrentUser(dag); + setAccessControlsForCurrentUser(dag, conf); for (BaseWork w: ws) { @@ -431,14 +433,32 @@ DAG build(JobConf conf, TezWork work, Path scratchDir, return dag; } - public static void setAccessControlsForCurrentUser(DAG dag) { + public static void setAccessControlsForCurrentUser(DAG dag, + Configuration conf) throws + IOException { // get current user String currentUser = SessionState.getUserFromAuthenticator(); - if(LOG.isDebugEnabled()) { - LOG.debug("Setting Tez DAG access for " + currentUser); + UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); + + String aclString; + + if (HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVETEZHS2USERACCESS) && + loginUser != null) { + // Setup access for user, and hive + aclString = currentUser + "," + loginUser; + if (loginUser != null) { + } else { + aclString = currentUser; + } + } else { + aclString = currentUser; + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Setting Tez DAG access with aclString= " + aclString); } // set permissions for current user on DAG - DAGAccessControls ac = new DAGAccessControls(currentUser, currentUser); + DAGAccessControls ac = new DAGAccessControls(aclString, aclString); dag.setAccessControls(ac); }