Copilot commented on code in PR #769:
URL: https://github.com/apache/ranger/pull/769#discussion_r2651830211
##########
dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh:
##########
@@ -128,6 +130,35 @@ cat <<EOF > ${TEZ_HOME}/conf/tez-site.xml
</configuration>
EOF
+rebuild_tez_tarball() {
+ if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
+ echo "Recreating Tez tarball for HDFS upload..."
+ tar -C /opt -czf /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz
apache-tez-${TEZ_VERSION}-bin/
+ fi
+}
+
+create_hdfs_directories_and_files() {
+ exec_user=$1
+
+ # prepare tez directories and files in hdfs folders
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f
/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" "$exec_user"
+
+ # Create HDFS user directory for hive
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" "$exec_user"
Review Comment:
Setting overly permissive directory permissions (777 and 1777) creates
security vulnerabilities by allowing any user to read, write, and execute in
these directories. Consider using more restrictive permissions such as 750 or
770, or leverage Ranger policies for fine-grained access control instead of
relying on filesystem permissions.
##########
dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh:
##########
@@ -139,32 +170,34 @@ cp ${HADOOP_HOME}/etc/hadoop/yarn-site.xml
${HIVE_HOME}/conf/
cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/
# Upload Tez libraries to HDFS
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs
+if [ "${KERBEROS_ENABLED}" == "true" ]; then
+ echo "Kerberos enabled - authenticating as hdfs user..."
+ su -c "kinit -kt /etc/keytabs/hdfs.keytab hdfs/\`hostname
-f\`@EXAMPLE.COM" hdfs
+ rc=$?
+ if [ $rc -ne 0 ]; then
+ echo "ERROR: kinit failed for hdfs principal (exit code=$rc)" >&2
+ exit $rc
+ fi
-# Recreate Tez tarball if it doesn't exist (it gets removed during Docker
build)
-if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
- echo "Recreating Tez tarball for HDFS upload..."
- cd /opt
- tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
-fi
+ echo "kinit successful, proceeding operations as hive user"
-su -c "${HADOOP_HOME}/bin/hdfs dfs -put
/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs
+ # Recreate Tez tarball if it doesn't exist
+ rebuild_tez_tarball
-# Create HDFS user directory for hive
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs
+ # Create hdfs directories and files for hive and tez
+ create_hdfs_directories_and_files 'hdfs'
-# Create HDFS /tmp/hive directory for Tez staging
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs
+ su -c "kdestroy" hive
Review Comment:
The kdestroy command is being run for the 'hive' user, but the kinit was
performed for the 'hdfs' user (line 175). This should be `su -c "kdestroy"
hdfs` to properly clean up the hdfs user's Kerberos credentials.
##########
dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh:
##########
@@ -128,6 +130,35 @@ cat <<EOF > ${TEZ_HOME}/conf/tez-site.xml
</configuration>
EOF
+rebuild_tez_tarball() {
+ if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
+ echo "Recreating Tez tarball for HDFS upload..."
+ tar -C /opt -czf /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz
apache-tez-${TEZ_VERSION}-bin/
+ fi
+}
+
+create_hdfs_directories_and_files() {
+ exec_user=$1
+
+ # prepare tez directories and files in hdfs folders
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f
/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" "$exec_user"
+
+ # Create HDFS user directory for hive
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" "$exec_user"
+
+ # Create HDFS /tmp/hive directory for Tez staging
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 1777 /tmp/hive" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 1777 /tmp" "$exec_user"
+
+ # Create /user/root directory for YARN job execution
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" "$exec_user"
+ su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" "$exec_user"
Review Comment:
Setting overly permissive directory permissions (777 and 1777) creates
security vulnerabilities by allowing any user to read, write, and execute in
these directories. Consider using more restrictive permissions such as 750 or
770, or leverage Ranger policies for fine-grained access control instead of
relying on filesystem permissions.
```suggestion
su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 770 /user/hive" "$exec_user"
# Create HDFS /tmp/hive directory for Tez staging
su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" "$exec_user"
su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 1770 /tmp/hive" "$exec_user"
su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 1770 /tmp" "$exec_user"
# Create /user/root directory for YARN job execution
su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" "$exec_user"
su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 770 /user/root" "$exec_user"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
