[
https://issues.apache.org/jira/browse/HIVE-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14560912#comment-14560912
]
Abdelrahman Shettia commented on HIVE-10528:
--------------------------------------------
The build has some failures related to the following:
{code}
2015-05-27 04:38:59,538 ERROR PTest.run:180 Test run exited with an unexpected
error org.apache.hive.ptest.execution.TestsFailedException: 55 tests failed
at org.apache.hive.ptest.execution.PTest.run(PTest.java:177)
at
org.apache.hive.ptest.api.server.TestExecutor.run(TestExecutor.java:120
{code}
I am not sure if this is related to the code change in the patch. [~vgumashta]
can you please confirm for me? I am able to get a successful local build and
ran through the test cases without issues. I am attaching file called
'REPRO-10528.txt' with the testing outcome. The patch did fix the issue and its
using auth to local.
Thanks
-Rahman
> Hiveserver2 in HTTP mode is not applying auth_to_local rules
> ------------------------------------------------------------
>
> Key: HIVE-10528
> URL: https://issues.apache.org/jira/browse/HIVE-10528
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 1.0.0, 1.2.0, 1.1.0, 1.3.0
> Environment: Centos 6
> Reporter: Abdelrahman Shettia
> Assignee: Abdelrahman Shettia
> Attachments: HIVE-10528.1.patch, HIVE-10528.1.patch,
> HIVE-10528.2.patch, HIVE-10528.3.patch
>
>
> PROBLEM: Authenticating to HS2 in HTTP mode with Kerberos, auth_to_local
> mappings do not get applied. Because of this various permissions checks
> which rely on the local cluster name for a user are going to fail.
> STEPS TO REPRODUCE:
> 1. Create kerberos cluster and HS2 in HTTP mode
> 2. Create a new user, test, along with a kerberos principal for this user
> 3. Create a separate principal, mapped-test
> 4. Create an auth_to_local rule to make sure that mapped-test is mapped to
> test
> 5. As the test user, connect to HS2 with beeline and create a simple table:
> {code}
> CREATE TABLE permtest (field1 int);
> {code}
> There is no need to load anything into this table.
> 6. Establish that it works as the test user:
> {code}
> show create table permtest;
> {code}
> 7. Drop the test identity and become mapped-test
> 8. Re-connect to HS2 with beeline, re-run the above command:
> {code}
> show create table permtest;
> {code}
> You will find that when this is done in HTTP mode, you will get an HDFS error
> (because of StorageBasedAuthorization doing a HDFS permissions check) and the
> user will be mapped-test and NOT test as it should be.
> ANALYSIS: This appears to be HTTP specific and the problem seems to come in
> {{ThriftHttpServlet$HttpKerberosServerAction.getPrincipalWithoutRealmAndHost()}}:
> {code}
> try {
> fullKerberosName =
> ShimLoader.getHadoopShims().getKerberosNameShim(fullPrincipal);
> } catch (IOException e) {
> throw new HttpAuthenticationException(e);
> }
> return fullKerberosName.getServiceName();
> {code}
> getServiceName applies no auth_to_local rules. Seems like maybe this should
> be getShortName()?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
