[
https://issues.apache.org/jira/browse/HIVE-5542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13794807#comment-13794807
]
Sushanth Sowmyan commented on HIVE-5542:
----------------------------------------
The issue here is this:
a) templeton runs as user hcat
b) templeton runs hcat command line as user hcat
c) It sets appropriate delegation tokens so that hdfs and hive metastore
recognize the command as being run as user hrt_qa, but the current unix user
for the hcat commandline is user hcat.
d) SBAP uses the hive default authentication provider, which recognizes that
the user is hcat.
e) The old HdfsAuthorizationProvider did not use the provided authentication
provider, and instead special-cased how it did authentication by instantiating
its own ugi. In addition, it would create a proxy user ugi if a setting
proxy.user.name was set, and that's how it used to authorize whether or not
"hrt_qa" would perform an action, as opposed to authorizing if "hcat" was
allowed to do so.
So, we need to create a new ProxyUserAuthenticator which can mock authenticate
as a particular user that it's asked to authenticate as, and fall back to
default authentication if not. This can be used as an authenticator for servers
such as webhcat which have alternate means of figuring out who the user is, and
telling the hcat command line who they are running as.
A further issue props up if we make the aforesaid change, and that is that
HCatCli instantiates a SessionState, and therefore a AuthorizationProvider and
an AuthenticationProvider before it processes its -D parameters, which is what
is used to provide overrides such as the proxy.user.name that webhcat provides.
The reason this worked with HdfsAuthorizationProvider before was that it
instantiated a ugi depending on whether or not that conf parameter was set at
runtime, for every single authorization call.
So, we need to change the initialization order in the hcat commandline, to make
sure the -D parameters are processed before we instantiate SessionState as well.
> Webhcat is failing to run ddl command on a secure cluster
> ---------------------------------------------------------
>
> Key: HIVE-5542
> URL: https://issues.apache.org/jira/browse/HIVE-5542
> Project: Hive
> Issue Type: Bug
> Components: Authentication, WebHCat
> Affects Versions: 0.12.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
>
> When switching client-side authorization from the now deprecated
> HdfsAuthorizationProvider to SBAP, we noticed an issue while testing.
> Basically, if, say webhcat were running as user "hcat" on a secure cluster,
> and we run the following:
> {noformat}
> $ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
> $ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d
> "{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}"
> http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
> {noformat}
> {noformat}
> {"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException:
> java.security.AccessControlException: action WRITE not permitted on path
> hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
> at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
> at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
> at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
> at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
> at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
> Caused by: java.security.AccessControlException: action WRITE not permitted
> on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
> ... 20 more
> ","error":"FAILED: AuthorizationException
> java.security.AccessControlException: action WRITE not permitted on path
> hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user
> hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
