[jira] [Updated] (HIVE-5001) [WebHCat] JobState is read/written with different user credentials

Mon, 09 Sep 2013 10:16:25 -0700 

     [ 
https://issues.apache.org/jira/browse/HIVE-5001?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eugene Koifman updated HIVE-5001:
---------------------------------

    Priority: Minor  (was: Major)

Lowering priority as this isn't commonly used in production and HIVE-4601 has 
improved HDFSStorage error logging so that this condition is at least visible 
in the logs.
                
> [WebHCat] JobState is read/written with different user credentials
> ------------------------------------------------------------------
>
>                 Key: HIVE-5001
>                 URL: https://issues.apache.org/jira/browse/HIVE-5001
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, HCatalog
>    Affects Versions: 0.11.0
>            Reporter: Eugene Koifman
>            Assignee: Eugene Koifman
>            Priority: Minor
>
> JobState can be persisted to HDFS or Zookeeper.  At various points in the 
> lifecycle it's accessed with different user credentials thus may cause errors 
> depending on how permissions are set.
> Example:
> When submitting a MR job, templeton.JarDelegator is used.
> It calls LauncherDelegator#queueAsUser() which runs TempletonControllerJob 
> with UserGroupInformation.doAs().
> TempletonControllerJob will in turn create JobState and persist it.
> LauncherDelegator.registerJob() also modifies JobState but w/o doing a doAs()
> So in the later case it's possible that the persisted state of JobState by a 
> different user than one that created/owns the file.
> templeton.tool.HDFSCleanup tries to delete these files w/o doAs.
> 'childid' file, for example, is created with rw-r--r--.
> and it's parent directory (job_201308051224_0001) has rwxr-xr-x.
> HDFSStorage doesn't set file permissions explicitly so it must be using 
> default permissions.
> So there is a potential issue here (depending on UMASK) especially once 
> HIVE-4601 is addressed.
> Actually, even w/o HIVE-4601 the user that owns the WebHCat process is likely 
> different than the one submitting a request.
> The default for templeton.storage.class is 
> org.apache.hcatalog.templeton.toolHDFSStorage, but it's likely that most 
> production environments change it to Zookeeper, which may explain why this 
> issue is not commonly seen.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to