[jira] [Commented] (HIVE-13446) LLAP: set default management protocol acls to deny all

Wed, 27 Apr 2016 16:24:12 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-13446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261179#comment-15261179
 ] 

Sergey Shelukhin commented on HIVE-13446:
-----------------------------------------

{noformat}
    Is the LLAP_VALIDATE_ACLS property really needed ? Why not always have this 
enabled.
{noformat}
In case it breaks for someone for a reason we cannot foresee. This setting will 
also be used to enforce checking ZK acls.
{noformat}
    Changing the default for "hive.llap.management.acl" to " " instead of "*" 
seems to be a simpler approach. Afaik, the logged in user will still be allowed 
access. The default would allow only the logged in user (assuming that works). 
Instead of changing LLAP_VALIDATE_ACLS - users can modify the actual ACLs if 
they want to grant access to additional users.
{noformat}
I am not sure if this is going to work. We'd need to return the client 
principal key from KerberosInfo; even then, the verification is done like so:
{noformat}
[String ]clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), 
addr);
...
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
... reject
{noformat}
It appears to require kinit with the host name from client. [~jingzhao] can you 
comment on this? Does IPC allow the current user to access the service, even if 
they logged in with keytab as [email protected], not user/[email protected]? If I 
understand the code in ServiceAuthorizationManager correctly, it doesn't appear 
to.


{noformat}
    hive.llap.management.acl.blocked - This seems very brittle. BLOCKED is an 
internal constant in Hadoop ServiceAuthorizationManager. I'm not sure how any 
project outside of Hadoop is supposed to use this in a reliable manner. Maybe 
define the man acl configuration as a string and add the blocked to it - to 
prevent strange naming problems mentioned in the code.
{noformat}
Hmm. How would adding the same thing to it be safer? 


> LLAP: set default management protocol acls to deny all
> ------------------------------------------------------
>
>                 Key: HIVE-13446
>                 URL: https://issues.apache.org/jira/browse/HIVE-13446
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13446.patch
>
>
> The user needs to set the acls.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to