[
https://issues.apache.org/jira/browse/HIVE-5989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13843634#comment-13843634
]
Sushanth Sowmyan commented on HIVE-5989:
----------------------------------------
I'll attach the fix patch for now as this is a pretty severe bug. As for
testing, it is easy to test from manual tests or with e2e tests, but difficult
to test with a unit test. I'll also attach a "SleepyAuthorizationProvider" that
I used to test this manually, so as to elongate the critical section to
demonstrate and reproduce this error easily.
> Hive metastore authorization check is not threadsafe
> ----------------------------------------------------
>
> Key: HIVE-5989
> URL: https://issues.apache.org/jira/browse/HIVE-5989
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security
> Affects Versions: 0.11.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
>
> Metastore-side authorization has a couple of pretty important threadsafety
> bugs in it:
> a) The HiveMetastoreAuthenticated instantiated by the
> AuthorizationPreEventListener is static. This is a premature optimization and
> incorrect, as it will result in Authenticator implementations that store
> state potentially giving an incorrect result, and this bug very much exists
> with the DefaultMetastoreAuthenticator.
> b) It assumes HMSHandler.getHiveConf() is itself going to be thread-safe,
> which it is not. HMSHandler.getConf() is the appropriate thread-safe
> equivalent.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
