ConfX created HIVE-27517:
----------------------------
Summary: SessionState is not correctly initialized when
hive.security.authorization.createtable.group.grants is set to automatically
grant privileges
Key: HIVE-27517
URL: https://issues.apache.org/jira/browse/HIVE-27517
Project: Hive
Issue Type: Bug
Reporter: ConfX
Attachments: reproduce.sh
h2. What happened:
When set {{hive.security.authorization.createtable.group.grants}} to some
value, the grant may not be able to successfully apply to specified groups due
to incorrect {{SessionState}} initialization and crashes the system.
h2. Buggy code:
When call {{getAuthenticator()}} method from {{SessionState}} class, it first
executes {{{}setupAuth(){}}}, which setup authentication and authorization
plugins for this session.
{noformat}
/**
* Setup authentication and authorization plugins for this session.
*/
private synchronized void setupAuth() {
...
// create the create table grants with new config
createTableGrants = CreateTableAutomaticGrant.create(sessionConf);
...
}{noformat}
In the table grants creation, the {{sessionConf}} sets group grant with
{{{}getGrantMap(){}}}. This method will validate privilege with
{{getPrivilege}} method and eventually {{getPrivilegeFromRegistry}} method will
be executed.
{noformat}
private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) :
Registry.get(ptype);
}{noformat}
However, {{ SessionState.get()}} can be null because the state may not be
correctly initialized.
In {{{}SessionState.java{}}}, {{get()}} method returns {{{}tss.get().state{}}}.
If the current thread does not have SessionStates initialized, then {{get()}}
will try to create a new SessionStates by calling {{initialValue()}} below.
This calls the default constructor of the {{SessionSatets}} class, which does
not initialize the {{SessionState}} field and {{HiveConf}} field.
{noformat}
/**
* get the current session.
*/
public static SessionState get() {
return tss.get().state;
}/**
* Singleton Session object per thread.
*
**/
private static ThreadLocal<SessionStates> tss = new
ThreadLocal<SessionStates>() {
@Override
protected SessionStates initialValue() {
return new SessionStates();
}
};private static class SessionStates {
private SessionState state;
private HiveConf conf;
private void attach(SessionState state) {
this.state = state;
attach(state.getConf());
}
private void attach(HiveConf conf) {
this.conf = conf; ClassLoader classLoader = conf.getClassLoader();
if (classLoader != null) {
Thread.currentThread().setContextClassLoader(classLoader);
}
}
}{noformat}
h2. How to reproduce:
(1) Set {{hive.security.authorization.createtable.group.grants}} to some value,
e.g. {{abc,def:create;xlab,tyx:all;}}
(2) Run test
{{org.apache.hadoop.hive.ql.parse.authorization.TestSessionUserName#testSessionGetGroupNames}}
h2. StackTrace:
{noformat}
java.lang.NullPointerException
at
org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilegeFromRegistry(PrivilegeRegistry.java:77)
at
org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry.getPrivilege(PrivilegeRegistry.java:72)
at
org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.validatePrivilege(CreateTableAutomaticGrant.java:108)
at
org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantorInfoList(CreateTableAutomaticGrant.java:91)
at
org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.getGrantMap(CreateTableAutomaticGrant.java:73)
at
org.apache.hadoop.hive.ql.session.CreateTableAutomaticGrant.create(CreateTableAutomaticGrant.java:47)
at
org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:996)
at
org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1744)
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)