[jira] [Updated] (HIVE-19900) HiveCLI HoS Performs Invalid Impersonation If User Name Truncated

[Daniel Dai (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HIVE-19900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Dai updated HIVE-19900:
------------------------------
    Fix Version/s:     (was: 4.0.0)
                       (was: 2.3.3)
                       (was: 1.2.3)

> HiveCLI HoS Performs Invalid Impersonation If User Name Truncated
> -----------------------------------------------------------------
>
>                 Key: HIVE-19900
>                 URL: https://issues.apache.org/jira/browse/HIVE-19900
>             Project: Hive
>          Issue Type: Improvement
>          Components: CLI, Spark
>    Affects Versions: 1.2.2, 3.0.0, 2.3.2, 4.0.0
>            Reporter: BELUGA BEHR
>            Assignee: BELUGA BEHR
>            Priority: Minor
>
> The HiveCLI HoS code relies on the system property {{user.name}} when 
> performing impersonations. The code decides to do an impersonation if the 
> {{user.name}} system property does not match the current user who is 
> launching the HiveCLI client.  However, when confronted with a long user 
> name, some shells and linux distros may opt to truncate the user name to a 
> certain size to conserve screen space. In these scenarios, the current user 
> name does not match the {{user.name}} system property and never will, so 
> impersonation will always happen, even though the user is trying to 
> impersonate themselves. If YARN is not setup to allow the current user to 
> impersonate, YARN will reject the request.
> {code:java}
>     if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
>       try {
>         String currentUser = Utils.getUGI().getShortUserName();
>         // do not do impersonation in CLI mode
>         if (!currentUser.equals(System.getProperty("user.name"))) {
>           LOG.info("Attempting impersonation of " + currentUser);
>           addProxyUser(currentUser);
>         }
>       } catch (Exception e) {
>         String msg = "Cannot obtain username: " + e;
>         throw new IllegalStateException(msg, e);
>       }
>     }
> {code}
>  
> [https://github.com/apache/hive/blob/da66386662fbbcbde9501b4a7b27d076bcc790d4/spark-client/src/main/java/org/apache/hive/spark/client/AbstractSparkClient.java#L354-L366]
> Assuming a kerberos enabled environment, the error message in the YARN 
> Resource Manager will be:
> {code:java}
> my-really-really-long-user-n...@hadoop.domain.com is not allowed to 
> impersonate my-really-really-long-user-name
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)