[ https://issues.apache.org/jira/browse/HIVE-19900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Dai updated HIVE-19900: ------------------------------ Fix Version/s: (was: 4.0.0) (was: 2.3.3) (was: 1.2.3) > HiveCLI HoS Performs Invalid Impersonation If User Name Truncated > ----------------------------------------------------------------- > > Key: HIVE-19900 > URL: https://issues.apache.org/jira/browse/HIVE-19900 > Project: Hive > Issue Type: Improvement > Components: CLI, Spark > Affects Versions: 1.2.2, 3.0.0, 2.3.2, 4.0.0 > Reporter: BELUGA BEHR > Assignee: BELUGA BEHR > Priority: Minor > > The HiveCLI HoS code relies on the system property {{user.name}} when > performing impersonations. The code decides to do an impersonation if the > {{user.name}} system property does not match the current user who is > launching the HiveCLI client. However, when confronted with a long user > name, some shells and linux distros may opt to truncate the user name to a > certain size to conserve screen space. In these scenarios, the current user > name does not match the {{user.name}} system property and never will, so > impersonation will always happen, even though the user is trying to > impersonate themselves. If YARN is not setup to allow the current user to > impersonate, YARN will reject the request. > {code:java} > if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) { > try { > String currentUser = Utils.getUGI().getShortUserName(); > // do not do impersonation in CLI mode > if (!currentUser.equals(System.getProperty("user.name"))) { > LOG.info("Attempting impersonation of " + currentUser); > addProxyUser(currentUser); > } > } catch (Exception e) { > String msg = "Cannot obtain username: " + e; > throw new IllegalStateException(msg, e); > } > } > {code} > > [https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366] > Assuming a kerberos enabled environment, the error message in the YARN > Resource Manager will be: > {code:java} > my-really-really-long-user-n...@hadoop.domain.com is not allowed to > impersonate my-really-really-long-user-name > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)