[
https://issues.apache.org/jira/browse/HIVE-6857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vaibhav Gumashta updated HIVE-6857:
-----------------------------------
Description:
Excerpt from HIVE-6837 and related issues:
1. SessionManager#openSession:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username,
String password,
Map<String, String> sessionConf, boolean withImpersonation, String
delegationToken)
throws HiveSQLException {
HiveSession session;
if (withImpersonation) {
HiveSessionImplwithUGI hiveSessionUgi = new
HiveSessionImplwithUGI(protocol, username, password,
hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(),
delegationToken);
session = HiveSessionProxy.getProxy(hiveSessionUgi,
hiveSessionUgi.getSessionUgi());
hiveSessionUgi.setProxySession(session);
} else {
session = new HiveSessionImpl(protocol, username, password, hiveConf,
sessionConf,
TSetIpAddressProcessor.getUserIpAddress());
}
session.setSessionManager(this);
session.setOperationManager(operationManager);
session.open();
handleToSession.put(session.getSessionHandle(), session);
try {
executeSessionHooks(session);
} catch (Exception e) {
throw new HiveSQLException("Failed to execute session hooks", e);
}
return session.getSessionHandle();
}
{code}
Notice that if withImpersonation is set to true, we're using
TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong
for a kerberized setup (should use HiveAuthFactory#getIpAddress).
2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs
(with UGI of the HiveServer2 process) which doesn't make sense to me:
https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
3. The name TSetIpAddressProcessor should be replaced with something more
meaningful like TPlainSASLProcessor.
4. Consolidate thread locals used for username, ipaddress
5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
was:
Excerpt HIVE-6837. Issues:
1. SessionManager#openSession:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username,
String password,
Map<String, String> sessionConf, boolean withImpersonation, String
delegationToken)
throws HiveSQLException {
HiveSession session;
if (withImpersonation) {
HiveSessionImplwithUGI hiveSessionUgi = new
HiveSessionImplwithUGI(protocol, username, password,
hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(),
delegationToken);
session = HiveSessionProxy.getProxy(hiveSessionUgi,
hiveSessionUgi.getSessionUgi());
hiveSessionUgi.setProxySession(session);
} else {
session = new HiveSessionImpl(protocol, username, password, hiveConf,
sessionConf,
TSetIpAddressProcessor.getUserIpAddress());
}
session.setSessionManager(this);
session.setOperationManager(operationManager);
session.open();
handleToSession.put(session.getSessionHandle(), session);
try {
executeSessionHooks(session);
} catch (Exception e) {
throw new HiveSQLException("Failed to execute session hooks", e);
}
return session.getSessionHandle();
}
{code}
Notice that if withImpersonation is set to true, we're using
TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong
for a kerberized setup (should use HiveAuthFactory#getIpAddress).
2. Also, in case of a kerberized setup, we're wrapping the transport in a doAs
(with UGI of the HiveServer2 process) which doesn't make sense to me:
https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
3. The name TSetIpAddressProcessor should be replaced with something more
meaningful like TPlainSASLProcessor.
4. Consolidate thread locals used for username, ipaddress
5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
> Refactor HiveServer2 TSetIpAddressProcessor
> -------------------------------------------
>
> Key: HIVE-6857
> URL: https://issues.apache.org/jira/browse/HIVE-6857
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Reporter: Vaibhav Gumashta
> Assignee: Vaibhav Gumashta
>
> Excerpt from HIVE-6837 and related issues:
> 1. SessionManager#openSession:
> {code}
> public SessionHandle openSession(TProtocolVersion protocol, String username,
> String password,
> Map<String, String> sessionConf, boolean withImpersonation, String
> delegationToken)
> throws HiveSQLException {
> HiveSession session;
> if (withImpersonation) {
> HiveSessionImplwithUGI hiveSessionUgi = new
> HiveSessionImplwithUGI(protocol, username, password,
> hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(),
> delegationToken);
> session = HiveSessionProxy.getProxy(hiveSessionUgi,
> hiveSessionUgi.getSessionUgi());
> hiveSessionUgi.setProxySession(session);
> } else {
> session = new HiveSessionImpl(protocol, username, password, hiveConf,
> sessionConf,
> TSetIpAddressProcessor.getUserIpAddress());
> }
> session.setSessionManager(this);
> session.setOperationManager(operationManager);
> session.open();
> handleToSession.put(session.getSessionHandle(), session);
> try {
> executeSessionHooks(session);
> } catch (Exception e) {
> throw new HiveSQLException("Failed to execute session hooks", e);
> }
> return session.getSessionHandle();
> }
> {code}
> Notice that if withImpersonation is set to true, we're using
> TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is
> wrong for a kerberized setup (should use HiveAuthFactory#getIpAddress).
> 2. Also, in case of a kerberized setup, we're wrapping the transport in a
> doAs (with UGI of the HiveServer2 process) which doesn't make sense to me:
> https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> 3. The name TSetIpAddressProcessor should be replaced with something more
> meaningful like TPlainSASLProcessor.
> 4. Consolidate thread locals used for username, ipaddress
> 5. Do not directly use TSetIpAddressProcessor; get it via factory like here:
> https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java#L161
--
This message was sent by Atlassian JIRA
(v6.2#6252)
