[jira] [Commented] (HIVE-13445) LLAP: token should encode application and cluster ids

Mon, 25 Apr 2016 02:51:32 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-13445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15256168#comment-15256168
 ] 

Siddharth Seth commented on HIVE-13445:
---------------------------------------

bq. Is the yarn option already used somewhere? We could just change the utility 
method to use it too.
Think this should be a separate jira. Will create one.

bq. Don't understand. Can you elaborate?
A token can be obtained in case of Tez as well, with the hive sessionId passed 
in, instead of having an alternate path where appId is sent is as null. This 
would require a lot more work on the LLAP side to associate queries with a 
sessionId rather than an appId, so it may not be worthwhile right now.

bq. Separate JIRA?
Think it's worthwhile adding basic tests as part of the patch itself, and a 
separate jira for more comprehensive system tests.

More comments on RB.

Thinking on loud on appId in the token...
With default and recommended settings post HIVE-13446, only HS2 can obtain 
delegation tokens or a CLI instance / client which has the hiveserver/llap user 
kerberos credentials. In this case, users cannot easily fake the appSecret in a 
token - and llap should be able to trust the appSecret from the token without 
it being explicitly signed.
Also, should we pass in a user in the getDelegationToken request either in 
place of appSecret or along with it. HS2 can set this user to the actual 
requesting user, otherwise the token is being issued with the user set to hive. 
getRealUser does not work afaik without proxy users being setup correctly.

On the association of TokenUser / TokenApp on the first request
QueryInfo already contains the appIdString and username. The token should be a 
duplicate of this. If anything we can verify the submitRequest and the token 
match like you mentioned. Subsequent requests already have the associated 
username / appId. I don't think the new fields in QueryInfo are required.



> LLAP: token should encode application and cluster ids
> -----------------------------------------------------
>
>                 Key: HIVE-13445
>                 URL: https://issues.apache.org/jira/browse/HIVE-13445
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13445.01.patch, HIVE-13445.02.patch, 
> HIVE-13445.03.patch, HIVE-13445.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to