[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16187465#comment-16187465 ] Tao Li commented on HIVE-17606: --- Added a section here: https://cwiki.apache.org/confluence/display/Hive/HiveReplicationv2Development#HiveReplicationv2Development-MetastorenotificationAPIsecurity [~leftylev] Please let me know if you have any suggestions to improve it. Thanks! > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16187256#comment-16187256 ] Tao Li commented on HIVE-17606: --- Thanks [~thejas]. Will update Apache wiki asap. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16185026#comment-16185026 ] Thejas M Nair commented on HIVE-17606: -- reverted > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16185021#comment-16185021 ] Thejas M Nair commented on HIVE-17606: -- [~sershe] [~taoli-hwx] Looks like I had some partial changes from another patch as well in this commit. Will revert asap and take a look. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184995#comment-16184995 ] Tao Li commented on HIVE-17606: --- [~sershe] I don't see how the change could cause the error since ReplChangeManager was not changed. Can you please elaborate? > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184988#comment-16184988
]
Sergey Shelukhin commented on HIVE-17606:
-
This appears to break the build:
{noformat}
[ERROR]
/Users/sergey/git/hivegit/ql/src/java/org/apache/hadoop/hive/ql/parse/repl/CopyUtils.java:[92,100]
package ReplChangeManager does not exist
[ERROR]
/Users/sergey/git/hivegit/ql/src/java/org/apache/hadoop/hive/ql/parse/repl/CopyUtils.java:[154,29]
package ReplChangeManager does not exist
[ERROR]
/Users/sergey/git/hivegit/ql/src/java/org/apache/hadoop/hive/ql/parse/repl/CopyUtils.java:[153,49]
package ReplChangeManager does not exist
{noformat}
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Fix For: 3.0.0
>
> Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch,
> HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch,
> HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch,
> HIVE-17606.8.patch, HIVE-17606.9.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184900#comment-16184900 ] Tao Li commented on HIVE-17606: --- [~thejas] Am I supposed to make the wiki doc change? Thanks for the reminder. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184894#comment-16184894 ] Thejas M Nair commented on HIVE-17606: -- [~taoli-hwx] We should follow up with documentation change in wiki for this. Can you please take a look ? cc [~leftylev] > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Fix For: 3.0.0 > > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184838#comment-16184838 ] Tao Li commented on HIVE-17606: --- Test result looks good. The failures don't seems related to the change. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184827#comment-16184827
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889556/HIVE-17606.10.patch
{color:green}SUCCESS:{color} +1 due to 5 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 9 failed/errored test(s), 11089 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_predicate_pushdown]
(batchId=232)
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_single_sourced_multi_insert]
(batchId=232)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[optimize_nullscan]
(batchId=162)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats]
(batchId=157)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_dynamic_partition_pruning]
(batchId=170)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_explainuser_1]
(batchId=171)
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainanalyze_2]
(batchId=101)
org.apache.hadoop.hive.cli.TestTezPerfCliDriver.org.apache.hadoop.hive.cli.TestTezPerfCliDriver
(batchId=240)
org.apache.hadoop.hive.cli.control.TestDanglingQOuts.checkDanglingQOut
(batchId=203)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/7029/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/7029/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-7029/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 9 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12889556 - PreCommit-HIVE-Build
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch,
> HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch,
> HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch,
> HIVE-17606.8.patch, HIVE-17606.9.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184746#comment-16184746 ] Thejas M Nair commented on HIVE-17606: -- +1 > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.10.patch, HIVE-17606.1.patch, > HIVE-17606.2.patch, HIVE-17606.3.patch, HIVE-17606.4.patch, > HIVE-17606.5.patch, HIVE-17606.6.patch, HIVE-17606.7.patch, > HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184674#comment-16184674 ] Tao Li commented on HIVE-17606: --- [~thejas] Correct. Actually I am fixing that now. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch, > HIVE-17606.6.patch, HIVE-17606.7.patch, HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184668#comment-16184668
]
Thejas M Nair commented on HIVE-17606:
--
{code}
try {
+ rsp = metaStoreClient.getNextNotification(firstEventId, 0, null);
+ assertEquals(1, rsp.getEventsSize());
+ // Turn auth back on. That should fail the call and we do expect the
exception
+
hconf.setBoolVar(HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH,
true);
+ rsp = metaStoreClient.getNextNotification(firstEventId, 0, null);
+}
{code}
In above section, if the first call to metaStoreClient.getNextNotification
throws an exception, the test would still succeed. Is that right ?
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch,
> HIVE-17606.6.patch, HIVE-17606.7.patch, HIVE-17606.8.patch, HIVE-17606.9.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184610#comment-16184610 ] Tao Li commented on HIVE-17606: --- [~thejas] Thanks for the comments. Regarding the test case, I was specifying "expected = TException.class" to expect the exception. I will add some more comments to make it more clear. Just uploaded another iteration. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch, > HIVE-17606.6.patch, HIVE-17606.7.patch, HIVE-17606.8.patch, HIVE-17606.9.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184573#comment-16184573 ] Thejas M Nair commented on HIVE-17606: -- MetaStoreUtils.hasPermissionForDbNotificationCalls is implementing a more generic function that what the name suggests. Maybe call it something like checkUserHasHostProxyPrivileges ? That would help clarify the purpose and help re-use if some other code path also needs same functionality. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch, > HIVE-17606.6.patch, HIVE-17606.7.patch, HIVE-17606.8.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184569#comment-16184569 ] Thejas M Nair commented on HIVE-17606: -- I see one possible issue with the test case. If the "rsp = metaStoreClient.getNextNotification(firstEventId, 0, null);" that is supposed to work throws an exception, the test would still pass. Is that right ? > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch, > HIVE-17606.6.patch, HIVE-17606.7.patch, HIVE-17606.8.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184476#comment-16184476 ] Tao Li commented on HIVE-17606: --- Test result looks good. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch, > HIVE-17606.6.patch, HIVE-17606.7.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184471#comment-16184471
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889507/HIVE-17606.7.patch
{color:green}SUCCESS:{color} +1 due to 5 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 6 failed/errored test(s), 11090 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_predicate_pushdown]
(batchId=232)
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_single_sourced_multi_insert]
(batchId=232)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[optimize_nullscan]
(batchId=162)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats]
(batchId=157)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_explainuser_1]
(batchId=171)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query23]
(batchId=236)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/7026/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/7026/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-7026/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 6 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12889507 - PreCommit-HIVE-Build
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch,
> HIVE-17606.6.patch, HIVE-17606.7.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183695#comment-16183695 ] Lefty Leverenz commented on HIVE-17606: --- Thanks for fixing the parameter description. It looks good. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183645#comment-16183645
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889347/HIVE-17606.5.patch
{color:green}SUCCESS:{color} +1 due to 8 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 18 failed/errored test(s), 11089 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_predicate_pushdown]
(batchId=232)
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_single_sourced_multi_insert]
(batchId=232)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[optimize_nullscan]
(batchId=162)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats]
(batchId=157)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_explainuser_1]
(batchId=171)
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainanalyze_2]
(batchId=101)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query14]
(batchId=236)
org.apache.hadoop.hive.ql.lockmgr.TestDbTxnManager2.checkExpectedLocks
(batchId=285)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.parallelExecutionOfReplicationBootStrapLoad
(batchId=220)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.testBootstrapFunctionReplication
(batchId=220)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.testCreateFunctionIncrementalReplication
(batchId=220)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.testCreateFunctionWithFunctionBinaryJarsOnHDFS
(batchId=220)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.testDropFunctionIncrementalReplication
(batchId=220)
org.apache.hadoop.hive.ql.parse.TestReplicationScenariosAcrossInstances.testMultipleStagesOfReplicationLoadTask
(batchId=220)
org.apache.hive.hcatalog.api.TestHCatClient.testReplicationTaskIter
(batchId=181)
org.apache.hive.hcatalog.api.repl.commands.TestCommands.testBasicReplEximCommands
(batchId=181)
org.apache.hive.hcatalog.api.repl.commands.TestCommands.testNoopReplEximCommands
(batchId=181)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testReplDumpResultSet (batchId=229)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/7014/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/7014/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-7014/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 18 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12889347 - PreCommit-HIVE-Build
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch, HIVE-17606.4.patch, HIVE-17606.5.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183122#comment-16183122
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889255/HIVE-17606.4.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 145 failed/errored test(s), 11084 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_predicate_pushdown]
(batchId=231)
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_single_sourced_multi_insert]
(batchId=231)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_local]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_warehouse]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_local_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_blobstore_nonpart]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_local]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_warehouse]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_warehouse_nonpart]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_local_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_00_nonpart_empty]
(batchId=14)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_01_nonpart]
(batchId=52)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_02_00_part_empty]
(batchId=64)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_02_part]
(batchId=49)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_03_nonpart_over_compat]
(batchId=5)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_04_all_part]
(batchId=28)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_04_evolved_parts]
(batchId=30)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_05_some_part]
(batchId=71)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_06_one_part]
(batchId=83)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_07_all_part_over_nonoverlap]
(batchId=10)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_08_nonpart_rename]
(batchId=59)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_09_part_spec_nonoverlap]
(batchId=8)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_10_external_managed]
(batchId=67)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_11_managed_external]
(batchId=67)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_12_external_location]
(batchId=53)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_13_managed_location]
(batchId=37)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_14_managed_location_over_existing]
(batchId=52)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_15_external_part]
(batchId=38)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_16_part_external]
(batchId=57)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_17_part_managed]
(batchId=43)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_18_part_external]
(batchId=69)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_19_00_part_external_location]
(batchId=64)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_19_part_external_location]
(batchId=26)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_20_part_managed_location]
(batchId=37)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_21_export_authsuccess]
(batchId=40)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_22_import_exist_authsuccess]
(batchId=18)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_23_import_part_authsuccess]
(batchId=20)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_24_import_nonexist_authsuccess]
(batchId=18)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_25_export_parentpath_has_inaccessible_children]
(batchId=63)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_hidden_files]
(batchId=46)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[repl_2_exim_basic]
(batchId=75)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[repl_3_exim_metadata]
(batchId=55)
org
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182742#comment-16182742
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889255/HIVE-17606.4.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 146 failed/errored test(s), 11078 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_predicate_pushdown]
(batchId=231)
org.apache.hadoop.hive.cli.TestAccumuloCliDriver.testCliDriver[accumulo_single_sourced_multi_insert]
(batchId=231)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_local]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_blobstore_to_warehouse]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_addpartition_local_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_blobstore_nonpart]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_local]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_warehouse]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_blobstore_to_warehouse_nonpart]
(batchId=243)
org.apache.hadoop.hive.cli.TestBlobstoreCliDriver.testCliDriver[import_local_to_blobstore]
(batchId=243)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_00_nonpart_empty]
(batchId=14)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_01_nonpart]
(batchId=52)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_02_00_part_empty]
(batchId=64)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_02_part]
(batchId=49)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_03_nonpart_over_compat]
(batchId=5)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_04_all_part]
(batchId=28)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_04_evolved_parts]
(batchId=30)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_05_some_part]
(batchId=71)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_06_one_part]
(batchId=83)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_07_all_part_over_nonoverlap]
(batchId=10)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_08_nonpart_rename]
(batchId=59)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_09_part_spec_nonoverlap]
(batchId=8)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_10_external_managed]
(batchId=67)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_11_managed_external]
(batchId=67)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_12_external_location]
(batchId=53)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_13_managed_location]
(batchId=37)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_14_managed_location_over_existing]
(batchId=52)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_15_external_part]
(batchId=38)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_16_part_external]
(batchId=57)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_17_part_managed]
(batchId=43)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_18_part_external]
(batchId=69)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_19_00_part_external_location]
(batchId=64)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_19_part_external_location]
(batchId=26)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_20_part_managed_location]
(batchId=37)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_21_export_authsuccess]
(batchId=40)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_22_import_exist_authsuccess]
(batchId=18)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_23_import_part_authsuccess]
(batchId=20)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_24_import_nonexist_authsuccess]
(batchId=18)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_25_export_parentpath_has_inaccessible_children]
(batchId=63)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[exim_hidden_files]
(batchId=46)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[repl_2_exim_basic]
(batchId=75)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[repl_3_exim_metadata]
(batchId=55)
org
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182189#comment-16182189 ] Tao Li commented on HIVE-17606: --- [~thejas], [~leftylev] Thanks for the comments. Just uploaded another iteration and will wait for test results. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch, HIVE-17606.4.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182004#comment-16182004
]
Lefty Leverenz commented on HIVE-17606:
---
Config review: The description of
*hive.metastore.event.db.notification.api.auth* has a typo ("authroization").
And while you're at it, please spell out database in the description.
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181754#comment-16181754 ] Thejas M Nair commented on HIVE-17606: -- Can you also call the authorize method something more specific like authorizeProxyPrivilege(), since its doing a very specific authorization check ? There is more general authorization api provided via pre-event listener, this would help do avoid confusing with that. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch, > HIVE-17606.3.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181717#comment-16181717
]
Thejas M Nair commented on HIVE-17606:
--
* Lets secure this out of the box -
hive.metastore.event.db.notification.api.auth=true. I think we can make this
slightly incompatible change in 3.0.0 release, in the interest of security.
* Can you update the description (this setting could be set in hive-site.xml
also, so the core-site.xml reference is not accurate) ? - "If metastore do
authorization against db notification related APIs such as
get_next_notification. If set to true, then only the superusers in proxy user
settings have the permission"
* Can you add comment to each section of test case describing what its testing
?
* It would be better to re-use the code in HiveAuthFactory.verifyProxyAccess
for proxy verification. However, that code is in service package, we might have
to move that to common.
* Opening curly braces "{" is put at end of the if statement by hive coding
conventions, this change has it both ways.
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch,
> HIVE-17606.3.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[ https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181607#comment-16181607 ] Tao Li commented on HIVE-17606: --- Test result looks good now. > Improve security for DB notification related APIs > - > > Key: HIVE-17606 > URL: https://issues.apache.org/jira/browse/HIVE-17606 > Project: Hive > Issue Type: Improvement > Components: Metastore >Reporter: Tao Li >Assignee: Tao Li > Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch > > > The purpose is to make sure only the superusers which are specified in the > proxyuser settings can make the db notification related API calls, since this > is supposed to be called by superuser/admin instead of any end user. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181603#comment-16181603
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889104/HIVE-17606.2.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 5 failed/errored test(s), 11063 tests
executed
*Failed tests:*
{noformat}
TestAccumuloCliDriver - did not produce a TEST-*.xml file (likely timed out)
(batchId=231)
TestDummy - did not produce a TEST-*.xml file (likely timed out) (batchId=231)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats]
(batchId=156)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_explainuser_1]
(batchId=170)
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainanalyze_2]
(batchId=100)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/6995/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/6995/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-6995/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 5 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12889104 - PreCommit-HIVE-Build
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch, HIVE-17606.2.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-17606) Improve security for DB notification related APIs
[
https://issues.apache.org/jira/browse/HIVE-17606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180631#comment-16180631
]
Hive QA commented on HIVE-17606:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12889021/HIVE-17606.1.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 9 failed/errored test(s), 11064 tests
executed
*Failed tests:*
{noformat}
TestAccumuloCliDriver - did not produce a TEST-*.xml file (likely timed out)
(batchId=231)
TestDummy - did not produce a TEST-*.xml file (likely timed out) (batchId=231)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[optimize_join_ptp]
(batchId=70)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats]
(batchId=156)
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver[spark_explainuser_1]
(batchId=170)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query14]
(batchId=235)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query23]
(batchId=235)
org.apache.hive.hcatalog.listener.TestDbNotificationListener.sqlDb (batchId=233)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testParallelCompilation (batchId=228)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/6988/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/6988/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-6988/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 9 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12889021 - PreCommit-HIVE-Build
> Improve security for DB notification related APIs
> -
>
> Key: HIVE-17606
> URL: https://issues.apache.org/jira/browse/HIVE-17606
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Reporter: Tao Li
>Assignee: Tao Li
> Attachments: HIVE-17606.1.patch
>
>
> The purpose is to make sure only the superusers which are specified in the
> proxyuser settings can make the db notification related API calls, since this
> is supposed to be called by superuser/admin instead of any end user.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
