[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270396#comment-15270396 ] Lefty Leverenz commented on HIVE-13446: --- Doc note: This adds *hive.llap.daemon.acl.blocked* and *hive.llap.management.acl.blocked* to HiveConf.java so they need to be documented in the wiki for release 2.1.0. * [Configuration Properties -- LLAP | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-LLAP] * [LLAP | https://cwiki.apache.org/confluence/display/Hive/LLAP] > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Labels: TODOC2.1 > Fix For: 2.1.0 > > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15267077#comment-15267077 ] Sergey Shelukhin commented on HIVE-13446: - Btw, this does not apply to daemon acls, these can be set to anything > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265367#comment-15265367 ] Hitesh Shah commented on HIVE-13446: If you are using the hadoop acls impl, setting it to a string with a single space blocks everyone. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265366#comment-15265366 ] Hitesh Shah commented on HIVE-13446: Setting tez acls to empty string will allow only the AM user to view all details and the dag owner to view dag specific details. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265214#comment-15265214 ] Siddharth Seth commented on HIVE-13446: --- The patch itself works - to restrict access to the llap user only. +1 from that perspective. Think it'll be a little confusing if "hive.llap.daemon.acl" is set to *, and other users are still not able to login. [~hitesh] - do you happen to know if the logged in user will be allowed if the ACL is set to " ", and the user connecting is the same logged in user with kerberos credentials. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[
https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261179#comment-15261179
]
Sergey Shelukhin commented on HIVE-13446:
-
{noformat}
Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this
enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will
also be used to enforce checking ZK acls.
{noformat}
Changing the default for "hive.llap.management.acl" to " " instead of "*"
seems to be a simpler approach. Afaik, the logged in user will still be allowed
access. The default would allow only the logged in user (assuming that works).
Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if
they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client
principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey),
addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you
comment on this? Does IPC allow the current user to access the service, even if
they logged in with keytab as u...@blah.com, not user/a...@blah.com? If I
understand the code in ServiceAuthorizationManager correctly, it doesn't appear
to.
{noformat}
hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an
internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any
project outside of Hadoop is supposed to use this in a reliable manner. Maybe
define the man acl configuration as a string and add the blocked to it - to
prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer?
> LLAP: set default management protocol acls to deny all
> --
>
> Key: HIVE-13446
> URL: https://issues.apache.org/jira/browse/HIVE-13446
> Project: Hive
> Issue Type: Bug
>Reporter: Sergey Shelukhin
>Assignee: Sergey Shelukhin
> Attachments: HIVE-13446.patch
>
>
> The user needs to set the acls.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15255020#comment-15255020 ] Siddharth Seth commented on HIVE-13446: --- The patch itself looks good in what it's doing. Couple of questions / comments. - Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this enabled. - Changing the default for "hive.llap.management.acl" to " " instead of "*" seems to be a simpler approach. Afaik, the logged in user will still be allowed access. The default would allow only the logged in user (assuming that works). Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if they want to grant access to additional users. - hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any project outside of Hadoop is supposed to use this in a reliable manner. Maybe define the man acl configuration as a string and add the blocked to it - to prevent strange naming problems mentioned in the code. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15254404#comment-15254404 ] Sergey Shelukhin commented on HIVE-13446: - [~vikram.dixit] perhaps you can review? > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15253172#comment-15253172 ] Sergey Shelukhin commented on HIVE-13446: - [~sseth] ping? > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13446.patch > > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[
https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15239752#comment-15239752
]
Hive QA commented on HIVE-13446:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12798166/HIVE-13446.patch
{color:red}ERROR:{color} -1 due to no test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 3 failed/errored test(s), 9959 tests executed
*Failed tests:*
{noformat}
TestJdbcWithMiniHS2 - did not produce a TEST-*.xml file
TestMiniTezCliDriver-update_orig_table.q-vectorization_13.q-mapreduce2.q-and-12-more
- did not produce a TEST-*.xml file
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_index_bitmap3
{noformat}
Test results:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7574/testReport
Console output:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7574/console
Test logs:
http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-7574/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 3 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12798166 - PreCommit-HIVE-TRUNK-Build
> LLAP: set default management protocol acls to deny all
> --
>
> Key: HIVE-13446
> URL: https://issues.apache.org/jira/browse/HIVE-13446
> Project: Hive
> Issue Type: Bug
>Reporter: Sergey Shelukhin
>Assignee: Sergey Shelukhin
> Attachments: HIVE-13446.patch
>
>
> The user needs to set the acls.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all
[ https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15230638#comment-15230638 ] Siddharth Seth commented on HIVE-13446: --- We could also ensure that the user connecting is the same user that the process is running as. Only HiveServer should have access to the management protocol at the moment. > LLAP: set default management protocol acls to deny all > -- > > Key: HIVE-13446 > URL: https://issues.apache.org/jira/browse/HIVE-13446 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin > > The user needs to set the acls. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
