[
https://issues.apache.org/jira/browse/HIVE-6907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13969412#comment-13969412
]
Thejas M Nair commented on HIVE-6907:
-------------------------------------
I ran some tests to verify it works with doAs=false and no proxy user setting
for the hive server2 process user. (Also added some logging to verify that this
code path is used - which was useful as it reminded me that this code path
doesn't get used with hive 0.12 jdbc driver!)
I have verified that this patch works with unsecure mode, but I haven't yet
verified the behavior with kerberos secured cluster.
{code}
beeline> !connect jdbc:hive2://localhost:10000/ user fakepwd
org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://localhost:10000/
Connected to: Apache Hive (version 0.13.0)
Driver: Hive JDBC (version 0.13.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:10000/> set hive.server2.enable.doAs;
+---------------------------------+
| set |
+---------------------------------+
| hive.server2.enable.doAs=false |
+---------------------------------+
1 row selected (0.007 seconds)
0: jdbc:hive2://localhost:10000/> set hadoop.proxyuser.hive.groups;
+--------------------------------------------+
| set |
+--------------------------------------------+
| hadoop.proxyuser.hive.groups is undefined |
+--------------------------------------------+
1 row selected (0.009 seconds)
0: jdbc:hive2://localhost:10000/> set hadoop.proxyuser.hive.hosts;
+-------------------------------------------+
| set |
+-------------------------------------------+
| hadoop.proxyuser.hive.hosts is undefined |
+-------------------------------------------+
1 row selected (0.007 seconds)
0: jdbc:hive2://localhost:10000/> set hadoop.proxyuser.oozie.hosts;
+---------------------------------+
| set |
+---------------------------------+
| hadoop.proxyuser.oozie.hosts=* |
+---------------------------------+
1 row selected (0.007 seconds)
0: jdbc:hive2://localhost:10000/> select count(*) from sample_07 ;
+------+
| _c0 |
+------+
| 823 |
+------+
{code}
> HiveServer2 - wrong user gets used for metastore operation with embedded
> metastore
> ----------------------------------------------------------------------------------
>
> Key: HIVE-6907
> URL: https://issues.apache.org/jira/browse/HIVE-6907
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 0.13.0
> Reporter: Thejas M Nair
> Assignee: Thejas M Nair
> Priority: Blocker
> Fix For: 0.13.0
>
> Attachments: HIVE-6907.1.patch, HIVE-6907.2.patch, HIVE-6907.3.patch
>
>
> When queries are being run concurrently against HS2, sometimes the wrong user
> ends performing the metastore action and you get an error like -
> {code}
> ..INFO|java.sql.SQLException: Error while processing statement: FAILED:
> Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask.
> MetaException(message:java.security.AccessControlException: action WRITE not
> permitted on path hdfs://example.net:8020/apps/hive/warehouse/tbl_4eeulg9zp4
> for user hrt_qa)
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
