[jira] [Commented] (HIVE-17853) RetryingMetaStoreClient loses UGI impersonation-context when reconnecting after timeout

Tue, 31 Oct 2017 10:14:29 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-17853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16227126#comment-16227126
 ] 

Vihang Karajgaonkar commented on HIVE-17853:
--------------------------------------------

Thanks for the patch [~cdrome]. I am curious to understand why this happens. 
When impersonation is turned on the HMSClient is instantiated from the 
HiveSessionImplWithUGI and it does a doAs() when instantiating the client. All 
subsequent actions coming via HS2 should also do a doAs() using the 
sessionProxy. Is this happening in case of HCatalog (I am not very familiar 
with HCatalog)? It would be great if you provide some call-stack or example of 
when this happens. Thanks!

Took a quick look at the patch. Couple questions.
if (this.ugi == null) {
78            LOG.warn("RetryingMetaStoreClient unable to determine current 
user UGI.");
79          }

Will ugi ever be null? If not, may be this check is redundant.
Can you also add a test case if possible?

Thanks!

> RetryingMetaStoreClient loses UGI impersonation-context when reconnecting 
> after timeout
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-17853
>                 URL: https://issues.apache.org/jira/browse/HIVE-17853
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>    Affects Versions: 3.0.0, 2.4.0, 2.2.1
>            Reporter: Mithun Radhakrishnan
>            Assignee: Chris Drome
>            Priority: Critical
>         Attachments: HIVE-17853.01-branch-2.2.patch, 
> HIVE-17853.01-branch-2.patch, HIVE-17853.01.patch
>
>
> The {{RetryingMetaStoreClient}} is used to automatically reconnect to the 
> Hive metastore, after client timeout, transparently to the user.
> In case of user impersonation (e.g. Oozie super-user {{oozie}} impersonating 
> a Hadoop user {{mithun}}, to run a workflow), in case of timeout, we find 
> that the reconnect causes the {{UGI.doAs()}} context to be lost. Any further 
> metastore operations will be attempted as the login-user ({{oozie}}), as 
> opposed to the effective user ({{mithun}}).
> We should have a fix for this shortly.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to