commit 9a55806dae2b868312607fc97be8592188a1c443 Author: Janaki Lahorani Date: Thu Dec 7 10:27:32 2017 -0800 HIVE-18248: Add parameters that need not change at run time to restricted list. hadoop.bin.path and yarn.bin.path are added to restricted list in HiveConf. _hive.tmp_table_space, _hive.hdfs.session.path, and _hive.local.session.path are system parameters holding session specific transient information. These shouldn't be changed by end user. Add test for the restricted list defined in HiveConf.java. Change-Id: I8d47a182872018c8ab58453d79bc1b9ba4b69438 diff --git common/src/java/org/apache/hadoop/hive/conf/HiveConf.java common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 7a81612faaa324ad9650d161c4864557e5088fa7..e94d4085cefd9d0390dca6f3d010b1e9237d63cb 100644 --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -3578,6 +3578,7 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal HIVE_MM_AVOID_GLOBSTATUS_ON_S3("hive.mm.avoid.s3.globstatus", true, "Whether to use listFiles (optimized on S3) instead of globStatus when on S3."), + // If a parameter is added to the restricted list, add a test in TestRestrictedList.Java HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager," + "hive.security.metastore.authorization.manager,hive.security.metastore.authenticator.manager," + @@ -3606,7 +3607,9 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal "bonecp.,"+ "hive.druid.broker.address.default,"+ "hive.druid.coordinator.address.default,"+ - "hikari.", + "hikari.,"+ + "hadoop.bin.path,"+ + "yarn.bin.path", "Comma separated list of configuration options which are immutable at runtime"), HIVE_CONF_HIDDEN_LIST("hive.conf.hidden.list", METASTOREPWD.varname + "," + HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname @@ -4748,6 +4751,10 @@ public static void setHiveSiteLocation(URL location) { hiveSiteURL = location; } + public static void setHivemetastoreSiteUrl(URL location) { + hivemetastoreSiteUrl = location; + } + public static URL getHiveSiteLocation() { return hiveSiteURL; } diff --git data/conf/rlist/hive-site.xml data/conf/rlist/hive-site.xml new file mode 100644 index 0000000000000000000000000000000000000000..9de00e56183a8f078257feb0dd316bcddbdd8b08 --- /dev/null +++ data/conf/rlist/hive-site.xml @@ -0,0 +1,322 @@ + + + + + + + + hive.in.test + true + Internal marker for test. Used for masking env-dependent values + + + + + + + + + + + hadoop.tmp.dir + ${test.tmp.dir}/hadoop-tmp + A base for other temporary directories. + + + + + + hive.exec.scratchdir + ${test.tmp.dir}/scratchdir + Scratch space for Hive jobs + + + + hive.exec.local.scratchdir + ${test.tmp.dir}/localscratchdir/ + Local scratch space for Hive jobs + + + + datanucleus.schema.autoCreateAll + true + + + + hive.metastore.schema.verification + false + + + + javax.jdo.option.ConnectionURL + jdbc:derby:memory:${test.tmp.dir}/junit_metastore_db;create=true + + + + javax.jdo.option.ConnectionDriverName + org.apache.derby.jdbc.EmbeddedDriver + + + + javax.jdo.option.ConnectionUserName + APP + + + + javax.jdo.option.ConnectionPassword + mine + + + + + hive.metastore.warehouse.dir + ${test.warehouse.dir} + + + + + hive.metastore.metadb.dir + file://${test.tmp.dir}/metadb/ + + Required by metastore server or if the uris argument below is not supplied + + + + + test.log.dir + ${test.tmp.dir}/log/ + + + + + test.data.files + ${hive.root}/data/files + + + + + test.data.scripts + ${hive.root}/data/scripts + + + + + hive.jar.path + ${maven.local.repository}/org/apache/hive/hive-exec/${hive.version}/hive-exec-${hive.version}.jar + + + + + hive.metastore.rawstore.impl + org.apache.hadoop.hive.metastore.ObjectStore + Name of the class that implements org.apache.hadoop.hive.metastore.rawstore interface. This class is used to store and retrieval of raw metadata objects such as table, database + + + + hive.querylog.location + ${test.tmp.dir}/tmp + Location of the structured hive logs + + + + hive.exec.pre.hooks + org.apache.hadoop.hive.ql.hooks.PreExecutePrinter, org.apache.hadoop.hive.ql.hooks.EnforceReadOnlyTables + Pre Execute Hook for Tests + + + + hive.exec.post.hooks + org.apache.hadoop.hive.ql.hooks.PostExecutePrinter + Post Execute Hook for Tests + + + + hive.support.concurrency + true + Whether hive supports concurrency or not. A zookeeper instance must be up and running for the default hive lock manager to support read-write locks. + + + + hive.unlock.numretries + 2 + The number of times you want to retry to do one unlock + + + + hive.lock.sleep.between.retries + 2 + The sleep time (in seconds) between various retries + + + + + fs.pfile.impl + org.apache.hadoop.fs.ProxyLocalFileSystem + A proxy for local file system used for cross file system testing + + + + hive.exec.mode.local.auto + false + + Let hive determine whether to run in local mode automatically + Disabling this for tests so that minimr is not affected + + + + + hive.auto.convert.join + false + Whether Hive enable the optimization about converting common join into mapjoin based on the input file size + + + + hive.ignore.mapjoin.hint + false + Whether Hive ignores the mapjoin hint + + + + hive.input.format + org.apache.hadoop.hive.ql.io.CombineHiveInputFormat + The default input format, if it is not specified, the system assigns it. It is set to HiveInputFormat for hadoop versions 17, 18 and 19, whereas it is set to CombineHiveInputFormat for hadoop 20. The user can always overwrite it - if there is a bug in CombineHiveInputFormat, it can always be manually set to HiveInputFormat. + + + + hive.default.rcfile.serde + org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe + The default SerDe hive will use for the rcfile format + + + + hive.stats.key.prefix.reserve.length + 0 + + + + hive.exec.submit.local.task.via.child + false + + + + + hive.dummyparam.test.server.specific.config.override + from.hive-site.xml + Using dummy param to test server specific configuration + + + + hive.dummyparam.test.server.specific.config.hivesite + from.hive-site.xml + Using dummy param to test server specific configuration + + + + test.var.hiveconf.property + ${hive.exec.default.partition.name} + Test hiveconf property substitution + + + + test.property1 + value1 + Test property defined in hive-site.xml only + + + + hive.test.dummystats.aggregator + value2 + + + + hive.fetch.task.conversion + minimal + + + + hive.users.in.admin.role + hive_admin_user + + + + hive.security.authorization.manager + org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest + The Hive client authorization manager class name. + + + + hive.llap.io.cache.orc.size + 8388608 + + + + hive.llap.io.cache.orc.arena.size + 8388608 + + + + hive.llap.io.cache.orc.alloc.max + 2097152 + + + + + hive.llap.io.cache.orc.alloc.min + 32768 + + + + hive.llap.cache.allow.synthetic.fileid + true + + + + hive.llap.io.use.lrfu + true + + + + + hive.llap.io.allocator.direct + false + + + + + hive.materializedview.rewriting + true + + + + hive.stats.fetch.bitvector + true + + + + + yarn.nodemanager.disk-health-checker.max-disk-utilization-per-disk-percentage + 99 + + + diff --git data/conf/rlist/hivemetastore-site.xml data/conf/rlist/hivemetastore-site.xml new file mode 100644 index 0000000000000000000000000000000000000000..d1a5a288d0474715eeae8f37dd350156db195311 --- /dev/null +++ data/conf/rlist/hivemetastore-site.xml @@ -0,0 +1,35 @@ + + + + + + + + + hive.dummyparam.test.server.specific.config.override + from.hivemetastore-site.xml + Using dummy param to test server specific configuration + + + + hive.dummyparam.test.server.specific.config.metastoresite + from.hivemetastore-site.xml + Using dummy param to test server specific configuration + + + diff --git itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestRestrictedList.java itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestRestrictedList.java new file mode 100644 index 0000000000000000000000000000000000000000..1ec77b027ed40c4bd45995494a8f479802e63475 --- /dev/null +++ itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestRestrictedList.java @@ -0,0 +1,192 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hive.jdbc; + +import java.io.File; +import java.net.URL; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.Statement; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; +import java.util.HashSet; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hive.jdbc.miniHS2.MiniHS2; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import org.junit.Test; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +public class TestRestrictedList { + private static MiniHS2 miniHS2 = null; + private static URL oldHiveSiteURL = null; + private static URL oldHiveMetastoreSiteURL = null; + private static Map expectedRestrictedMap = new HashMap<>(); + private static HiveConf hiveConf = null; + + @BeforeClass + public static void startServices() throws Exception { + Class.forName(MiniHS2.getJdbcDriverName()); + + oldHiveSiteURL = HiveConf.getHiveSiteLocation(); + oldHiveMetastoreSiteURL = HiveConf.getMetastoreSiteLocation(); + String confDir = "../../data/conf/rlist/"; + HiveConf.setHiveSiteLocation( + new URL("file://" + new File(confDir).toURI().getPath() + "/hive-site.xml")); + System.out.println("Setting hive-site: " + HiveConf.getHiveSiteLocation()); + HiveConf.setHivemetastoreSiteUrl( + new URL("file://" + new File(confDir).toURI().getPath() + "/hivemetastore-site.xml")); + System.out.println("Setting hive-site: " + HiveConf.getHiveSiteLocation()); + + hiveConf = new HiveConf(); + hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_MIN_WORKER_THREADS, 1); + hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_MAX_WORKER_THREADS, 1); + hiveConf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false); + + miniHS2 = new MiniHS2.Builder().withMiniMR().withRemoteMetastore().withConf(hiveConf).build(); + miniHS2.start(new HashMap()); + + // Add the parameter here if it cannot change at runtime + addToExpectedRestrictedMap("hive.conf.restricted.list"); + addToExpectedRestrictedMap("hive.security.authenticator.manager"); + addToExpectedRestrictedMap("hive.security.authorization.manager"); + addToExpectedRestrictedMap("hive.security.metastore.authorization.manager"); + addToExpectedRestrictedMap("hive.security.metastore.authenticator.manager"); + addToExpectedRestrictedMap("hive.users.in.admin.role"); + addToExpectedRestrictedMap("hive.server2.xsrf.filter.enabled"); + addToExpectedRestrictedMap("hive.security.authorization.enabled"); + addToExpectedRestrictedMap("hive.distcp.privileged.doAs"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.baseDN"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.url"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.Domain"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.groupDNPattern"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.groupFilter"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.userDNPattern"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.userFilter"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.groupMembershipKey"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.userMembershipKey"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.groupClassKey"); + addToExpectedRestrictedMap("hive.server2.authentication.ldap.customLDAPQuery"); + addToExpectedRestrictedMap("hive.spark.client.channel.log.level"); + addToExpectedRestrictedMap("hive.spark.client.secret.bits"); + addToExpectedRestrictedMap("hive.spark.client.rpc.server.address"); + addToExpectedRestrictedMap("hive.spark.client.rpc.server.port"); + addToExpectedRestrictedMap("hive.spark.client.rpc.sasl.mechanisms"); + addToExpectedRestrictedMap("bonecp.test"); + addToExpectedRestrictedMap("hive.druid.broker.address.default"); + addToExpectedRestrictedMap("hive.druid.coordinator.address.default"); + addToExpectedRestrictedMap("hikari.test"); + addToExpectedRestrictedMap("hadoop.bin.path"); + addToExpectedRestrictedMap("yarn.bin.path"); + addToExpectedRestrictedMap("hive.spark.client.connect.timeout"); + addToExpectedRestrictedMap("hive.spark.client.server.connect.timeout"); + addToExpectedRestrictedMap("hive.spark.client.rpc.max.size"); + addToExpectedRestrictedMap("hive.spark.client.rpc.threads"); + addToExpectedRestrictedMap("_hive.local.session.path"); + addToExpectedRestrictedMap("_hive.tmp_table_space"); + addToExpectedRestrictedMap("_hive.hdfs.session.path"); + addToExpectedRestrictedMap("hive.spark.client.rpc.server.address"); + } + + @AfterClass + public static void stopServices() throws Exception { + if (miniHS2 != null && miniHS2.isStarted()) { + miniHS2.stop(); + } + HiveConf.setHivemetastoreSiteUrl(oldHiveMetastoreSiteURL); + HiveConf.setHiveSiteLocation(oldHiveSiteURL); + } + + @Test + public void testRestrictedList() throws Exception { + assertTrue("Test setup failed. MiniHS2 is not initialized", + miniHS2 != null && miniHS2.isStarted()); + + checkRestrictedListMatch(); + + try (Connection hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL(), "hive", "hive"); + Statement stmt = hs2Conn.createStatement();) { + for (Map.Entry entry : expectedRestrictedMap.entrySet()) { + String parameter = entry.getKey(); + String value = entry.getValue(); + + try { + stmt.execute("set " + parameter + "=" + value); + fail("Exception not thrown for parameter: " + parameter); + } catch (Exception e1) { + assertTrue("Unexpected exception: " + e1.getMessage(), + e1.getMessage().contains("Error while processing statement: Cannot modify")); + } + } + } catch (Exception e2) { + fail("Unexpected Exception: " + e2.getMessage()); + } + } + + // This test will make sure that every entry in hive.conf.restricted.list, has a test here + private void checkRestrictedListMatch(){ + HiveConf.ConfVars restrictedConfVar = HiveConf.getConfVars("hive.conf.restricted.list"); + String definedRestrictedListString = HiveConf.getVar(hiveConf, restrictedConfVar); + Set definedRestrictedSet = new HashSet(); + + definedRestrictedSet.clear(); + assertTrue(definedRestrictedListString != null); + + // populate definedRestrictedSet with parameters defined in hive.conf.restricted.list + for (String entry : definedRestrictedListString.split(",")) { + definedRestrictedSet.add(entry.trim()); + } + + // remove all parameters that are tested. if the parameter is tested it is part of + // expectedRestrictedMap + definedRestrictedSet.removeAll(expectedRestrictedMap.keySet()); + + // the remaining parameters in definedRestrictedSet are starting parameter name + for (String definedRestrictedParameter : definedRestrictedSet) { + boolean definedRestrictedParameterTested = false; + for (String expectedRestrictedParameter : expectedRestrictedMap.keySet()) { + if (expectedRestrictedParameter.startsWith(definedRestrictedParameter)) { + definedRestrictedParameterTested = true; + break; + } + } + assertTrue(definedRestrictedParameter + " not tested.", definedRestrictedParameterTested); + } + } + + private static void addToExpectedRestrictedMap(String parameter) { + HiveConf.ConfVars confVars = HiveConf.getConfVars(parameter); + String value = "foo"; + + if (confVars != null) { + if (confVars.isType("foo") && confVars.validate("foo") == null) { + value = "foo"; + } else if (confVars.isType("1s") && confVars.validate("1s") == null) { + value = "1s"; + } else if (confVars.isType("1") && confVars.validate("1") == null) { + value = "1"; + } + } + expectedRestrictedMap.put(parameter, value); + } +} diff --git ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index bb6ddc6fa4667ac0e30994d0f9ee8b969542383c..4a9fba28991267f12bbf0332b54e59e0315c0925 100644 --- ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -718,6 +718,13 @@ private void createSessionDirs(String userName) throws IOException { // Don't register with deleteOnExit createPath(conf, hdfsTmpTableSpace, scratchDirPermission, false, false); conf.set(TMP_TABLE_SPACE_KEY, hdfsTmpTableSpace.toUri().toString()); + + // _hive.tmp_table_space, _hive.hdfs.session.path, and _hive.local.session.path are respectively + // saved in hdfsTmpTableSpace, hdfsSessionPath and localSessionPath. Saving them as conf + // variables is useful to expose them to end users. But, end users shouldn't change them. + // Adding them to restricted list. + conf.addToRestrictList( + LOCAL_SESSION_PATH_KEY + "," + HDFS_SESSION_PATH_KEY + "," + TMP_TABLE_SPACE_KEY); } /** diff --git ql/src/test/queries/clientnegative/change_hive_hdfs_session_path.q ql/src/test/queries/clientnegative/change_hive_hdfs_session_path.q new file mode 100644 index 0000000000000000000000000000000000000000..d3f3a215e0af272cf2826a6be0dc94d60da10225 --- /dev/null +++ ql/src/test/queries/clientnegative/change_hive_hdfs_session_path.q @@ -0,0 +1,2 @@ +set _hive.hdfs.session.path; +set _hive.hdfs.session.path=foo; diff --git ql/src/test/queries/clientnegative/change_hive_local_session_path.q ql/src/test/queries/clientnegative/change_hive_local_session_path.q new file mode 100644 index 0000000000000000000000000000000000000000..64778620a619c81767e2d217abb1c11b03b53c93 --- /dev/null +++ ql/src/test/queries/clientnegative/change_hive_local_session_path.q @@ -0,0 +1,2 @@ +set _hive.local.session.path; +set _hive.local.session.path=foo; diff --git ql/src/test/queries/clientnegative/change_hive_tmp_table_space.q ql/src/test/queries/clientnegative/change_hive_tmp_table_space.q new file mode 100644 index 0000000000000000000000000000000000000000..6fb82f594d87d1fe91c0920ad1cfe47f5e071c6f --- /dev/null +++ ql/src/test/queries/clientnegative/change_hive_tmp_table_space.q @@ -0,0 +1,2 @@ +set _hive.tmp_table_space; +set _hive.tmp_table_space=foo; diff --git ql/src/test/results/clientnegative/change_hive_hdfs_session_path.q.out ql/src/test/results/clientnegative/change_hive_hdfs_session_path.q.out new file mode 100644 index 0000000000000000000000000000000000000000..d69d501be5194bf70562053cdf4ceec41c041128 --- /dev/null +++ ql/src/test/results/clientnegative/change_hive_hdfs_session_path.q.out @@ -0,0 +1,2 @@ +#### A masked pattern was here #### +Query returned non-zero code: 1, cause: Cannot modify _hive.hdfs.session.path at runtime. It is in the list of parameters that can't be modified at runtime or is prefixed by a restricted variable diff --git ql/src/test/results/clientnegative/change_hive_local_session_path.q.out ql/src/test/results/clientnegative/change_hive_local_session_path.q.out new file mode 100644 index 0000000000000000000000000000000000000000..2a7093f4d874c3eab61c88222245d00bdb8ce1b3 --- /dev/null +++ ql/src/test/results/clientnegative/change_hive_local_session_path.q.out @@ -0,0 +1,2 @@ +#### A masked pattern was here #### +Query returned non-zero code: 1, cause: Cannot modify _hive.local.session.path at runtime. It is in the list of parameters that can't be modified at runtime or is prefixed by a restricted variable diff --git ql/src/test/results/clientnegative/change_hive_tmp_table_space.q.out ql/src/test/results/clientnegative/change_hive_tmp_table_space.q.out new file mode 100644 index 0000000000000000000000000000000000000000..9d6abdae4f748f880d4b72d2de0ff07841613492 --- /dev/null +++ ql/src/test/results/clientnegative/change_hive_tmp_table_space.q.out @@ -0,0 +1,2 @@ +#### A masked pattern was here #### +Query returned non-zero code: 1, cause: Cannot modify _hive.tmp_table_space at runtime. It is in the list of parameters that can't be modified at runtime or is prefixed by a restricted variable