[
https://issues.apache.org/jira/browse/HIVE-18982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prasanth Jayachandran updated HIVE-18982:
-----------------------------------------
Comment: was deleted
(was: Based on offline feedback from [~gopalv] added llap specific commands
under HiveCommandOperation to get Hive authorization. Also updated the patch to
get use LLAP management API for security.
2 commands are add
1) LLAP cluster commands (only info is implemented in this patch)
2) LLAP cache commands (only purge is implemented in this patch)
"llap cluster -info;" has no authorization, any user can read this information.
"llap cache -purge;" requires users to have admin role.
Some examples:
{code:title=user in non-admin role trying to purge the cache}
0: jdbc:hive2://localhost:10000> set hive.security.authorization.enabled;
+-------------------------------------------+
| set |
+-------------------------------------------+
| hive.security.authorization.enabled=true |
+-------------------------------------------+
1 row selected (0.165 seconds)
0: jdbc:hive2://localhost:10000> llap cache -purge;
Error: Error while processing statement: Permission denied: Principal
[name=pjayachandran, type=USER] does not have following privileges for
operation LLAP_CACHE_PURGE [ADMIN PRIVILEGE on INPUT] (state=,code=1)
{code}
{code:title=user in admin role trying to purge the cache}
0: jdbc:hive2://localhost:10000> set role admin;
No rows affected (1.019 seconds)
0: jdbc:hive2://localhost:10000> llap cache -purge;
+------------+--------------------+
| hostName | purgedMemoryBytes |
+------------+--------------------+
| localhost | 50429952 |
+------------+--------------------+
{code}
{code:title=when authZ is disabled, user can read cluster info}
0: jdbc:hive2://localhost:10000> set hive.security.authorization.enabled;
+--------------------------------------------+
| set |
+--------------------------------------------+
| hive.security.authorization.enabled=false |
+--------------------------------------------+
1 row selected (0.159 seconds)
0: jdbc:hive2://localhost:10000> llap cluster -info;
+----------------+---------------------------------------+------------+----------+-------------+---------+
| applicationId | workerIdentity | hostname | rpcPort
| memory | vcores |
+----------------+---------------------------------------+------------+----------+-------------+---------+
| null | 873b7438-01b1-4974-90e2-1c5631602db9 | localhost | 15001
| 3145728000 | 3 |
+----------------+---------------------------------------+------------+----------+-------------+---------+
{code}
ignore "null" applicationId as this is my local setup which is not deployed via
slider or yarn services. )
> Provide a CLI option to manually trigger failover
> -------------------------------------------------
>
> Key: HIVE-18982
> URL: https://issues.apache.org/jira/browse/HIVE-18982
> Project: Hive
> Issue Type: Sub-task
> Components: HiveServer2
> Affects Versions: 3.0.0
> Reporter: Prasanth Jayachandran
> Assignee: Prasanth Jayachandran
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: HIVE-18982.1.patch, HIVE-18982.2.patch,
> HIVE-18982.3.patch, HIVE-18982.4.patch, HIVE-18982.5.patch
>
>
> HIVE-18281 added active-passive HA. There might be a administrative need to
> trigger a manual failover of HS2 Active server. Add command line tool to view
> list of all HS2 instances and trigger manual failover (only under force
> mode). The clients currently connected to active HS2 will be closed. In
> future, more options to existing clients connections can be handled via
> configs/options (like wait until timeout, wait until current sessions are
> closed etc.)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
