[jira] [Comment Edited] (HIVE-19900) HiveCLI HoS Performs Invalid Impersonation If User Name Truncated

[BELUGA BEHR (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-19900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16513040#comment-16513040
 ] 

BELUGA BEHR edited comment on HIVE-19900 at 6/14/18 9:50 PM:
-------------------------------------------------------------

This only affects the deprecated HiveCLI and only applies to HoS.  The 
workaround is to use shorter user names when necessary.


was (Author: belugabehr):
This only effects the deprecated HiveCLI and the workaround is to use shorter 
user names when necessary.

> HiveCLI HoS Performs Invalid Impersonation If User Name Truncated
> -----------------------------------------------------------------
>
>                 Key: HIVE-19900
>                 URL: https://issues.apache.org/jira/browse/HIVE-19900
>             Project: Hive
>          Issue Type: Improvement
>          Components: CLI, Spark
>    Affects Versions: 1.2.2, 3.0.0, 2.3.2, 4.0.0
>            Reporter: BELUGA BEHR
>            Assignee: BELUGA BEHR
>            Priority: Minor
>             Fix For: 1.2.3, 2.3.3, 4.0.0
>
>
> The HiveCLI HoS code relies on the system property {{user.name}} when 
> performing impersonations. The code decides to do an impersonation if the 
> {{user.name}} system property does not match the current user who is 
> launching the HiveCLI client.  However, when confronted with a long user 
> name, some shells and linux distros may opt to truncate the user name to a 
> certain size to conserve screen space. In these scenarios, the current user 
> name does not match the {{user.name}} system property and never will, so 
> impersonation will always happen, even though the user is trying to 
> impersonate themselves. If YARN is not setup to allow the current user to 
> impersonate, YARN will reject the request.
> {code:java}
>     if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
>       try {
>         String currentUser = Utils.getUGI().getShortUserName();
>         // do not do impersonation in CLI mode
>         if (!currentUser.equals(System.getProperty("user.name"))) {
>           LOG.info("Attempting impersonation of " + currentUser);
>           addProxyUser(currentUser);
>         }
>       } catch (Exception e) {
>         String msg = "Cannot obtain username: " + e;
>         throw new IllegalStateException(msg, e);
>       }
>     }
> {code}
>  
> [https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366]
> Assuming a kerberos enabled environment, the error message in the YARN 
> Resource Manager will be:
> {code:java}
> my-really-really-long-user-n...@hadoop.domain.com is not allowed to 
> impersonate my-really-really-long-user-name
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)