[
https://issues.apache.org/jira/browse/HIVE-17252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114905#comment-16114905
]
Xuefu Zhang commented on HIVE-17252:
------------------------------------
I don't think Hive set any value to mapreduce.job.queuename by default. In
fact, it's expected that a user to set the queue name correctly. Hive doesn't
manage user-queue mapping either. Please refer to YARN queue access control for
queue permissions.
> Insecure YARN Fair Scheduler when using HiveServer2 non-impersonation mode
> --------------------------------------------------------------------------
>
> Key: HIVE-17252
> URL: https://issues.apache.org/jira/browse/HIVE-17252
> Project: Hive
> Issue Type: Bug
> Affects Versions: 1.1.0
> Reporter: Vugar Karimli
>
> Hi,
> I am using Hive version 1.1.0 with Hadoop 2.6.0. As you know when Kerberos
> and Sentry is enabled in hadoop cluster HiveServer2 user impersonation should
> be turned of (hive.server2.enable.doAs=false) to force all queries in
> background to be executed by hive user instead of logged in user.
> In this case by default HiveServer2 takes into account Fair Scheduler and
> sets mapreduce.job.queuename parameter according to logged in Hive username
> and correctly executes query in user's YARN queue. For example, in
> root.users.user_name queue.
> But problem here is any user can modify mapreduce.job.queuename parameter
> setting other user's queue name (set
> mapreduce.job.queuename=root.users.other_user_name) and execute query in
> another user's YARN queue. Here YARN queue's ACL also doesn't help, because
> all queries are executed by hive user in YARN not by logged in user.
> Is it possible to prevent HiveServer2 users changing mapreduce.job.queuename
> parameter?
> Best Regards,
> Vugar.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
