[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270396#comment-15270396 ] Lefty Leverenz commented on HIVE-13446: --- Doc note: This adds *hive.llap.daemon.acl.blocked* and *hive.llap.management.acl.blocked* to HiveConf.java so they need to be documented in the wiki for release 2.1.0. * [Configuration Properties -- LLAP | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-LLAP] * [LLAP | https://cwiki.apache.org/confluence/display/Hive/LLAP] > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Labels: TODOC2.1 > Fix For: 2.1.0 > > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15267077#comment-15267077 ] Sergey Shelukhin commented on HIVE-13446: - Btw, this does not apply to daemon acls, these can be set to anything > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265367#comment-15265367 ] Hitesh Shah commented on HIVE-13446: If you are using the hadoop acls impl, setting it to a string with a single space blocks everyone. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265366#comment-15265366 ] Hitesh Shah commented on HIVE-13446: Setting tez acls to empty string will allow only the AM user to view all details and the dag owner to view dag specific details. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265214#comment-15265214 ] Siddharth Seth commented on HIVE-13446: --- The patch itself works - to restrict access to the llap user only. +1 from that perspective. Think it'll be a little confusing if "hive.llap.daemon.acl" is set to *, and other users are still not able to login. [~hitesh] - do you happen to know if the logged in user will be allowed if the ACL is set to " ", and the user connecting is the same logged in user with kerberos credentials. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261179#comment-15261179 ] Sergey Shelukhin commented on HIVE-13446: - {noformat} Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this enabled. {noformat} In case it breaks for someone for a reason we cannot foresee. This setting will also be used to enforce checking ZK acls. {noformat} Changing the default for "hive.llap.management.acl" to " " instead of "*" seems to be a simpler approach. Afaik, the logged in user will still be allowed access. The default would allow only the logged in user (assuming that works). Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if they want to grant access to additional users. {noformat} I am not sure if this is going to work. We'd need to return the client principal key from KerberosInfo; even then, the verification is done like so: {noformat} [String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr); ... if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || ... reject {noformat} It appears to require kinit with the host name from client. [~jingzhao] can you comment on this? Does IPC allow the current user to access the service, even if they logged in with keytab as u...@blah.com, not user/a...@blah.com? If I understand the code in ServiceAuthorizationManager correctly, it doesn't appear to. {noformat} hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any project outside of Hadoop is supposed to use this in a reliable manner. Maybe define the man acl configuration as a string and add the blocked to it - to prevent strange naming problems mentioned in the code. {noformat} Hmm. How would adding the same thing to it be safer? > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15255020#comment-15255020 ] Siddharth Seth commented on HIVE-13446: --- The patch itself looks good in what it's doing. Couple of questions / comments. - Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this enabled. - Changing the default for "hive.llap.management.acl" to " " instead of "*" seems to be a simpler approach. Afaik, the logged in user will still be allowed access. The default would allow only the logged in user (assuming that works). Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if they want to grant access to additional users. - hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any project outside of Hadoop is supposed to use this in a reliable manner. Maybe define the man acl configuration as a string and add the blocked to it - to prevent strange naming problems mentioned in the code. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15254404#comment-15254404 ] Sergey Shelukhin commented on HIVE-13446: - [~vikram.dixit] perhaps you can review? > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15253172#comment-15253172 ] Sergey Shelukhin commented on HIVE-13446: - [~sseth] ping? > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15239752#comment-15239752 ] Hive QA commented on HIVE-13446: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12798166/HIVE-13446.patch {color:red}ERROR:{color} -1 due to no test(s) being added or modified. {color:red}ERROR:{color} -1 due to 3 failed/errored test(s), 9959 tests executed *Failed tests:* {noformat} TestJdbcWithMiniHS2 - did not produce a TEST-*.xml file TestMiniTezCliDriver-update_orig_table.q-vectorization_13.q-mapreduce2.q-and-12-more - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_index_bitmap3 {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7574/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7574/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-7574/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 3 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12798166 - PreCommit-HIVE-TRUNK-Build > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15230638#comment-15230638 ] Siddharth Seth commented on HIVE-13446: --- We could also ensure that the user connecting is the same user that the process is running as. Only HiveServer should have access to the management protocol at the moment. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)