[
https://issues.apache.org/jira/browse/HIVE-6837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13962151#comment-13962151
]
Vaibhav Gumashta commented on HIVE-6837:
----------------------------------------
[~thejas] Thanks for taking a look.
Sure, I'll do that. There's another issue that I noticed caused in
SessionManager#openSession as a result of this:
{code}
public SessionHandle openSession(TProtocolVersion protocol, String username,
String password,
Map<String, String> sessionConf, boolean withImpersonation, String
delegationToken)
throws HiveSQLException {
HiveSession session;
if (withImpersonation) {
HiveSessionImplwithUGI hiveSessionUgi = new
HiveSessionImplwithUGI(protocol, username, password,
hiveConf, sessionConf, TSetIpAddressProcessor.getUserIpAddress(),
delegationToken);
session = HiveSessionProxy.getProxy(hiveSessionUgi,
hiveSessionUgi.getSessionUgi());
hiveSessionUgi.setProxySession(session);
} else {
session = new HiveSessionImpl(protocol, username, password, hiveConf,
sessionConf,
TSetIpAddressProcessor.getUserIpAddress());
}
session.setSessionManager(this);
session.setOperationManager(operationManager);
session.open();
handleToSession.put(session.getSessionHandle(), session);
try {
executeSessionHooks(session);
} catch (Exception e) {
throw new HiveSQLException("Failed to execute session hooks", e);
}
return session.getSessionHandle();
}
{code}
Notice that if withImpersonation is set to true, we're using
TSetIpAddressProcessor.getUserIpAddress() to get the IP address which is wrong
for a kerberized setup (should use HiveAuthFactory#getIpAddress).
Also, in case of a kerberized setup, we're wrapping the transport in a doAs
(with UGI of the HiveServer2 process) which doesn't make sense to me:
https://github.com/apache/hive/blob/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java#L335.
> HiveServer2 thrift/http mode & binary mode proxy user check fails reporting
> IP null for client
> ----------------------------------------------------------------------------------------------
>
> Key: HIVE-6837
> URL: https://issues.apache.org/jira/browse/HIVE-6837
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 0.13.0
> Reporter: Dilli Arumugam
> Assignee: Vaibhav Gumashta
> Fix For: 0.13.0
>
> Attachments: HIVE-6837.1.patch, HIVE-6837.2.patch, HIVE-6837.3.patch,
> hive.log
>
>
> Hive Server running thrift/http with Kerberos security.
> Kinited user knox attempting to proxy as sam.
> Beeline connection failed reporting error on hive server logs:
> Caused by: org.apache.hadoop.security.authorize.AuthorizationException:
> Unauthorized connection for super-user: knox from IP null
--
This message was sent by Atlassian JIRA
(v6.2#6252)
