Re: Review Request 58429: After pam setup- Hive View user home test fails

Thu, 13 Apr 2017 11:45:17 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58429/
-----------------------------------------------------------

(Updated April 13, 2017, 6:45 p.m.)


Review request for Ambari, Attila Doroszlai, Henning Kropp, and Robert Levas.


Bugs: AMBARI-20760
    https://issues.apache.org/jira/browse/AMBARI-20760


Repository: ambari


Description
-------

After setting up PAM, tried to login as PAM user and access hive view, user 
home test fails with the error as in screen shot.

This issue was pointed out by Henning Kropp in the jira AMBARI-12263, but was 
not incorporated in the code. Pasting the comment from Henning below.

Something we noticed is that in a secured cluster we have issues with the 
views, getting the following exception for the Hive view as an example:

Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, 
infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate 
proxy privilege of ambari for 
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32,
.....
sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of 
ambari for 
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119),
 serverProtocolVersion:null)

As you can see it tries to impersonte 
"org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32".
 Changing the UsernamePasswordAuthenticationToken from Principal to username 
fixes this.

So instead of :

UsernamePasswordAuthenticationToken token = new 
UsernamePasswordAuthenticationToken(principal, null, userAuthorities);

We use:

UsernamePasswordAuthenticationToken token = new 
UsernamePasswordAuthenticationToken(user.getUserName(), null, userAuthorities);

What could potential also work is, overriding toString of the principal like:

Principal principal = new Principal() {
@Override
public String getName()
{ return user.getUserName(); }

@Override
public String toString()
{ return user.getUserName().toString(); }

};

We did not test this!


Testing
-------

Ran mvn test and also manually tested the scenario


File Attachments (updated)
----------------

error screenshot
  
https://reviews.apache.org/media/uploaded/files/2017/04/13/4a43b897-e030-41a7-b702-f711432b03b9__error.PNG


Thanks,

Anita Jebaraj

Reply via email to