[jira] [Updated] (AMBARI-20760) After pam setup- Hive View user home test fails

[Anita Gnanamalar Jebaraj (JIRA)]

     [ 
https://issues.apache.org/jira/browse/AMBARI-20760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anita Gnanamalar Jebaraj updated AMBARI-20760:
----------------------------------------------
    Attachment: AMBARI-20760.patch

> After pam setup- Hive View user home test fails
> -----------------------------------------------
>
>                 Key: AMBARI-20760
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20760
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Anita Gnanamalar Jebaraj
>            Assignee: Anita Gnanamalar Jebaraj
>         Attachments: AMBARI-20760.patch, error.PNG
>
>
> After setting up PAM, tried to login as PAM user and access hive view, user 
> home test fails with the error as in screen shot.
> This issue was pointed out by [~hkropp] in the jira AMBARI-12263, but was not 
> incorporated in the code. Pasting the comment from Henning below.
> Something we noticed is that in a secured cluster we have issues with the 
> views, getting the following exception for the Hive view as an example:
> Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, 
> infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to 
> validate proxy privilege of ambari for 
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32,
>  
> .....
> sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege 
> of ambari for 
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119),
>  serverProtocolVersion:null)
> As you can see it tries to impersonte 
> "org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32".
>  Changing the UsernamePasswordAuthenticationToken from Principal to username 
> fixes this.
> So instead of :
> UsernamePasswordAuthenticationToken token = new 
> UsernamePasswordAuthenticationToken(principal, null, userAuthorities);
> We use:
> UsernamePasswordAuthenticationToken token = new 
> UsernamePasswordAuthenticationToken(user.getUserName(), null, 
> userAuthorities);
> What could potential also work is, overriding toString of the principal like:
> Principal principal = new Principal() {
>                     @Override
>                     public String getName() {
>                         return user.getUserName();
>                     }
>                     @Override
>                     public String toString(){
>                         return user.getUserName().toString();
>                     }
>                 };
> We did not test this!
> As a little side note, I notices you are using String concatenation in your 
> error logging like this: LOG.error("Message"+ ex.getMessage()) I think the 
> public void error(String msg, Throwable t); interface would be preferable in 
> such scenarios, so: LOG.error("Message", ex)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)