ATLAS-1364 HiveHook : Fix Auth issue with doAs (sumasai) (cherry picked from commit ed4ae0e3ea7ef5646e8ecc30143929e21b8aaab4)
Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/9325dd6e Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/9325dd6e Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/9325dd6e Branch: refs/heads/0.7-incubating Commit: 9325dd6ecd2cfdccd0a3e759c2af0e7537cd9496 Parents: 3407303 Author: Suma Shivaprasad <[email protected]> Authored: Mon Dec 12 15:25:31 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Dec 27 15:47:12 2016 -0800 ---------------------------------------------------------------------- .../org/apache/atlas/hive/hook/HiveHook.java | 49 ++++++++++++++++---- .../java/org/apache/atlas/hook/AtlasHook.java | 9 +++- release-log.txt | 1 + 3 files changed, 48 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9325dd6e/addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java ---------------------------------------------------------------------- diff --git a/addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java b/addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java index a3464a0..1239551 100755 --- a/addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java +++ b/addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java @@ -49,6 +49,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.plan.HiveOperation; +import org.apache.hadoop.hive.shims.Utils; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.ShutdownHookManager; import org.json.JSONObject; @@ -57,6 +58,7 @@ import org.slf4j.LoggerFactory; import java.net.MalformedURLException; import java.net.URI; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Comparator; import java.util.Date; @@ -71,6 +73,7 @@ import java.util.SortedMap; import java.util.SortedSet; import java.util.TreeMap; import java.util.TreeSet; +import java.util.concurrent.Callable; import java.util.concurrent.ExecutorService; import java.util.concurrent.LinkedBlockingQueue; import java.util.concurrent.ThreadPoolExecutor; @@ -168,15 +171,15 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { public void run(final HookContext hookContext) throws Exception { // clone to avoid concurrent access try { - final HiveConf conf = new HiveConf(hookContext.getConf()); - final HiveEventContext event = new HiveEventContext(); event.setInputs(hookContext.getInputs()); event.setOutputs(hookContext.getOutputs()); event.setJsonPlan(getQueryPlan(hookContext.getConf(), hookContext.getQueryPlan())); event.setHookType(hookContext.getHookType()); - event.setUgi(hookContext.getUgi()); - event.setUser(getUser(hookContext.getUserName())); + + final UserGroupInformation ugi = hookContext.getUgi() == null ? Utils.getUGI() : hookContext.getUgi(); + event.setUgi(ugi); + event.setUser(getUser(hookContext.getUserName(), hookContext.getUgi())); event.setOperation(OPERATION_MAP.get(hookContext.getOperationName())); event.setQueryId(hookContext.getQueryPlan().getQueryId()); event.setQueryStr(hookContext.getQueryPlan().getQueryStr()); @@ -184,13 +187,31 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { event.setQueryType(hookContext.getQueryPlan().getQueryPlan().getQueryType()); if (executor == null) { - fireAndForget(event); + collect(event); + notifyAsPrivilegedAction(event); } else { executor.submit(new Runnable() { @Override public void run() { try { - fireAndForget(event); + ugi.doAs(new PrivilegedExceptionAction<Object>() { + @Override + public Object run() throws Exception { + collect(event); + return event; + } + }); + + //Notify as 'hive' service user in Kerberos mode else will default to the current user - doAs mode + UserGroupInformation realUser = ugi.getRealUser(); + if (realUser != null) { + LOG.info("Sending notification for event {} as service user {} ", event.getOperation(), realUser.getShortUserName()); + realUser.doAs(notifyAsPrivilegedAction(event)); + } else { + //Unsecure or without doAs + LOG.info("Sending notification for event {} as current user {} ", event.getOperation(), ugi.getShortUserName()); + ugi.doAs(notifyAsPrivilegedAction(event)); + } } catch (Throwable e) { LOG.error("Atlas hook failed due to error ", e); } @@ -202,11 +223,21 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { } } - private void fireAndForget(HiveEventContext event) throws Exception { + PrivilegedExceptionAction<Object> notifyAsPrivilegedAction(final HiveEventContext event) { + return new PrivilegedExceptionAction<Object>() { + @Override + public Object run() throws Exception { + notifyEntities(event.getMessages()); + return event; + } + }; + } + + private void collect(HiveEventContext event) throws Exception { assert event.getHookType() == HookContext.HookType.POST_EXEC_HOOK : "Non-POST_EXEC_HOOK not supported!"; - LOG.info("Entered Atlas hook for hook type {} operation {}", event.getHookType(), event.getOperation()); + LOG.info("Entered Atlas hook for hook type {}, operation {} , user {} as {}", event.getHookType(), event.getOperation(), event.getUgi().getRealUser(), event.getUgi().getShortUserName()); HiveMetaStoreBridge dgiBridge = new HiveMetaStoreBridge(atlasProperties, hiveConf); @@ -278,8 +309,6 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { default: } - - notifyEntities(event.getMessages()); } private void deleteTable(HiveMetaStoreBridge dgiBridge, HiveEventContext event) { http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9325dd6e/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java ---------------------------------------------------------------------- diff --git a/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java b/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java index 04ee9c0..5bdd5d3 100644 --- a/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java +++ b/notification/src/main/java/org/apache/atlas/hook/AtlasHook.java @@ -189,18 +189,25 @@ public abstract class AtlasHook { public static String getUser(String userName, UserGroupInformation ugi) { if (StringUtils.isNotEmpty(userName)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Returning userName {} " + userName); + } return userName; } if (ugi != null && StringUtils.isNotEmpty(ugi.getShortUserName())) { + if (LOG.isDebugEnabled()) { + LOG.debug("Returning ugi.getShortUserName {} " + userName); + } return ugi.getShortUserName(); } try { return UserGroupInformation.getCurrentUser().getShortUserName(); } catch (IOException e) { - LOG.warn("Failed for UserGroupInformation.getCurrentUser()"); + LOG.warn("Failed for UserGroupInformation.getCurrentUser() ", e); return System.getProperty("user.name"); } } + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/9325dd6e/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 8f956f9..7fcbb16 100644 --- a/release-log.txt +++ b/release-log.txt @@ -32,6 +32,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags) ALL CHANGES: +ATLAS-1364 HiveHook : Fix Auth issue with doAs (sumasai) ATLAS-1403 Performance fixes for search, lineage ATLAS-1342 Titan Solrclient - Add timeouts for zookeeper connect and session (sumasai) ATLAS-1402 fix UI input validation
