[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13982824#comment-13982824 ] Vaibhav Gumashta commented on HIVE-6957: [~thejas] I don't have access to svn yet. This should be good to commit. > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.04-branch.0.13.patch, HIVE-6957.1.patch, > HIVE-6957.2.patch, HIVE-6957.3.patch, HIVE-6957.4.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13981433#comment-13981433 ] Vaibhav Gumashta commented on HIVE-6957: +1 > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.04-branch.0.13.patch, HIVE-6957.1.patch, > HIVE-6957.2.patch, HIVE-6957.3.patch, HIVE-6957.4.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[
https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980939#comment-13980939
]
Hive QA commented on HIVE-6957:
---
{color:red}Overall{color}: -1 at least one tests failed
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12641843/HIVE-6957.4.patch
{color:red}ERROR:{color} -1 due to 40 failed/errored test(s), 5420 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_auto_join32
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_filter_numeric
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby2_map_skew
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby_sort_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby_sort_skew_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_infer_bucket_sort_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_6
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_7
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_8
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_mapjoin_test_outer
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_nullgroup3
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_orc_createas1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_ppd_join4
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_select_dummy_source
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_stats_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_stats_partscan_1_23
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_symlink_text_input_format
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_truncate_column_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_udf_current_database
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_10
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_12
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_13
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_14
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_19
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_2
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_20
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_21
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_22
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_23
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_24
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_4
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_5
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_7
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_8
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_9
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_bucketizedhiveinputformat
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_root_dir_external_table
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_dynamic_partitions_with_whitelist
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_stats_partialscan_autogether
{noformat}
Test results:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/35/testReport
Console output:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/35/console
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 40 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12641843
> SQL authorization does not work with HS2 binary mode and Kerberos auth
> --
>
> Key: HIVE-6957
> URL: https://issues.apache.org/jira/browse/HIVE-6957
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HiveServer2
>Affects Versions: 0.13.0
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-6957.1.patch, HIVE-6957.2.patch, HIVE-6957.3.patch,
> HIVE-6957.4.patch
>
>
> In HiveServer2, when Kerberos auth and binary transport modes are used, the
> user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short
> usernames.
> This also fails in authorizing statements that involve URI, as the
> authorization mode checks the file syste
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980540#comment-13980540 ] Vaibhav Gumashta commented on HIVE-6957: +1 non-binding. Latest patch looks good - tests are super useful, I think I'll use this as base to add more kerberos related tests. > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.1.patch, HIVE-6957.2.patch, HIVE-6957.3.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13978987#comment-13978987 ] Vaibhav Gumashta commented on HIVE-6957: [~thejas] The patch & added tests look good. I've added some minor comments on rb. The documentation related comments are unrelated to this patch, so we can always do it later. Thanks! > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.1.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[
https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13978383#comment-13978383
]
Hive QA commented on HIVE-6957:
---
{color:red}Overall{color}: -1 at least one tests failed
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12641337/HIVE-6957.1.patch
{color:red}ERROR:{color} -1 due to 42 failed/errored test(s), 5418 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_auto_join32
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_filter_numeric
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby2_map_skew
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby_sort_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby_sort_skew_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_infer_bucket_sort_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_6
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_7
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_list_bucket_dml_8
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_mapjoin_test_outer
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_nullgroup3
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_orc_createas1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_ppd_join4
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_select_dummy_source
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_stats_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_stats_partscan_1_23
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_symlink_text_input_format
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_truncate_column_list_bucket
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_udf_current_database
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_1
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_10
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_12
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_13
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_14
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_17
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_19
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_2
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_20
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_21
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_22
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_23
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_24
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_4
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_5
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_7
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_8
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_remove_9
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_bucketizedhiveinputformat
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_root_dir_external_table
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_dynamic_partitions_with_whitelist
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_stats_partialscan_autogether
org.apache.hive.minikdc.TestJdbcWithMiniKdc.testConnection
{noformat}
Test results:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/14/testReport
Console output:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/14/console
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 42 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12641337
> SQL authorization does not work with HS2 binary mode and Kerberos auth
> --
>
> Key: HIVE-6957
> URL: https://issues.apache.org/jira/browse/HIVE-6957
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HiveServer2
>Affects Versions: 0.13.0
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-6957.1.patch
>
>
> In HiveServer2, when Kerberos auth and binary transport modes are used, the
> user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short
> usernames.
> This also fails in authorizing statement
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[
https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977468#comment-13977468
]
Thejas M Nair commented on HIVE-6957:
-
Error looks like this
{code}
java.sql.SQLException: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied. Principal
[name=us...@example.com, type=USER] does not have following privileges on
Object [type=TABLE_OR_VIEW, name=default.test_jdbc_sql_auth2] : [SELECT]
{code}
> SQL authorization does not work with HS2 binary mode and Kerberos auth
> --
>
> Key: HIVE-6957
> URL: https://issues.apache.org/jira/browse/HIVE-6957
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HiveServer2
>Affects Versions: 0.13.0
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-6957.1.patch
>
>
> In HiveServer2, when Kerberos auth and binary transport modes are used, the
> user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short
> usernames.
> This also fails in authorizing statements that involve URI, as the
> authorization mode checks the file system permissions for given user. It does
> not recognize that the given long username actually owns the file or belongs
> to the group that owns the file.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977462#comment-13977462 ] Thejas M Nair commented on HIVE-6957: - The long username is not of any significance within hive. We always use the short username for all purposes including the owner in metastore. This patch changes the username that gets set for HS2 purposes, to the short username. > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.1.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HIVE-6957) SQL authorization does not work with HS2 binary mode and Kerberos auth
[ https://issues.apache.org/jira/browse/HIVE-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977461#comment-13977461 ] Thejas M Nair commented on HIVE-6957: - A workaround is to use the http transport mode for HS2. > SQL authorization does not work with HS2 binary mode and Kerberos auth > -- > > Key: HIVE-6957 > URL: https://issues.apache.org/jira/browse/HIVE-6957 > Project: Hive > Issue Type: Bug > Components: Authorization, HiveServer2 >Affects Versions: 0.13.0 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-6957.1.patch > > > In HiveServer2, when Kerberos auth and binary transport modes are used, the > user name that gets passed on to authorization is the long kerberos username. > The username that is used in grant/revoke statements tend to be the short > usernames. > This also fails in authorizing statements that involve URI, as the > authorization mode checks the file system permissions for given user. It does > not recognize that the given long username actually owns the file or belongs > to the group that owns the file. -- This message was sent by Atlassian JIRA (v6.2#6252)
