kokila-19 commented on code in PR #4882:
URL: https://github.com/apache/hive/pull/4882#discussion_r1708907598
##########
llap-server/src/java/org/apache/hadoop/hive/llap/security/LlapUgiFactoryFactory.java:
##########
@@ -15,42 +15,115 @@
package org.apache.hadoop.hive.llap.security;
import java.io.IOException;
+import java.util.Map;
+import java.util.HashMap;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.hive.common.UgiFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.llap.LlapUtil;
import org.apache.hadoop.hive.shims.HadoopShims;
import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/** No Java application is complete until it has a FactoryFactory. */
public class LlapUgiFactoryFactory {
+ private static final Logger LOG =
LoggerFactory.getLogger(LlapUgiFactoryFactory.class);
+
private static final HadoopShims SHIMS = ShimLoader.getHadoopShims();
- private static class KerberosUgiFactory implements UgiFactory {
+ /**
+ * This class implements abstract logic for maintaining a single ugi for a
specific user in a query.
+ * Subclasses implement createNewUgiInternal for creating a new ugi object
when needed.
+ */
+ private static abstract class AbstractLlapUgiFactory implements UgiFactory {
+ Map<String, UserGroupInformation> ugis = new HashMap<>();
+
+ /**
+ * Creates an ugi for tasks in the same query and merges the credentials.
+ * This is valid to be done once per query: no vertex-level ugi and
credentials are needed, both of them
+ * are the same within the same query.
+ * Regarding vertex user: LlapTaskCommunicator has a single "user" field,
+ * which is passed into the SignableVertexSpec.
+ * Regarding credentials: LlapTaskCommunicator creates
SubmitWorkRequestProto instances,
+ * into which dag-level credentials are passed.
+ * The most performant way would be to use a single UGI for the same user
in the daemon, but that's not possible,
+ * because the credentials can theoretically chance across queries.
Review Comment:
**the credentials can theoretically chance across queries.**
Wouldn't this be change across queries?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
