Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Thejas Nair]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
---

(Updated April 25, 2014, 12:36 a.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
---

HIVE-6957.4.patch - rename the abstract base test class to *Test.java


Bugs: HIVE-6957
https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
---

In HiveServer2, when Kerberos auth and binary transport modes are used, the 
user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short 
usernames.
This also fails in authorizing statements that involve URI, as the 
authorization mode checks the file system permissions for given user. It does 
not recognize that the given long username actually owns the file or belongs to 
the group that owns the file.


Diffs (updated)
-

  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuthTest.java
 PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
f7ec93d 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
 62bfa1e 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java
 PRE-CREATION 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java
 PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java 
d08bfde 
  itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
---

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Vaibhav Gumashta]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/#review41424
---

Ship it!


Ship It!

- Vaibhav Gumashta


On April 24, 2014, 11:21 p.m., Thejas Nair wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/20578/
> ---
> 
> (Updated April 24, 2014, 11:21 p.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6957
> https://issues.apache.org/jira/browse/HIVE-6957
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> In HiveServer2, when Kerberos auth and binary transport modes are used, the 
> user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short 
> usernames.
> This also fails in authorizing statements that involve URI, as the 
> authorization mode checks the file system permissions for given user. It does 
> not recognize that the given long username actually owns the file or belongs 
> to the group that owns the file.
> 
> 
> Diffs
> -
> 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java
>  PRE-CREATION 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
> f7ec93d 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
>  62bfa1e 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java
>  PRE-CREATION 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java
>  PRE-CREATION 
>   itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java 
> d08bfde 
>   itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
>   
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  9e296de 
> 
> Diff: https://reviews.apache.org/r/20578/diff/
> 
> 
> Testing
> ---
> 
> Unit test included.
> 
> 
> Thanks,
> 
> Thejas Nair
> 
>

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Thejas Nair]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
---

(Updated April 24, 2014, 11:21 p.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
---

3.patch - fixing TestSSL failures because of change in MiniHS2


Bugs: HIVE-6957
https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
---

In HiveServer2, when Kerberos auth and binary transport modes are used, the 
user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short 
usernames.
This also fails in authorizing statements that involve URI, as the 
authorization mode checks the file system permissions for given user. It does 
not recognize that the given long username actually owns the file or belongs to 
the group that owns the file.


Diffs (updated)
-

  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java
 PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
f7ec93d 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
 62bfa1e 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java
 PRE-CREATION 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java
 PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java 
d08bfde 
  itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java 7b85b97 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
---

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Thejas Nair]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
---

(Updated April 24, 2014, 10:19 p.m.)


Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Changes
---

adding http mode test, debug log


Bugs: HIVE-6957
https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
---

In HiveServer2, when Kerberos auth and binary transport modes are used, the 
user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short 
usernames.
This also fails in authorizing statements that involve URI, as the 
authorization mode checks the file system permissions for given user. It does 
not recognize that the given long username actually owns the file or belongs to 
the group that owns the file.


Diffs (updated)
-

  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/JdbcWithMiniKdcSQLAuth.java
 PRE-CREATION 
  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
f7ec93d 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
 62bfa1e 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthBinary.java
 PRE-CREATION 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuthHttp.java
 PRE-CREATION 
  itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java 
d08bfde 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
---

Unit test included.


Thanks,

Thejas Nair

Re: Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Vaibhav Gumashta]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/#review41224
---



itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java


Should we add another test when HiveServer2 is running in http mode (since 
username is set in a different way in binary/http mode)?



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java


I was thinking we should start adding more docs to the code in general to 
explain the intent. For example, we can add a little note here.  



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java


Similar to above comment, we can add a note here to call out the intent.



shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java


Should we log the short username at debug level?


- Vaibhav Gumashta


On April 22, 2014, 9:32 p.m., Thejas Nair wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/20578/
> ---
> 
> (Updated April 22, 2014, 9:32 p.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6957
> https://issues.apache.org/jira/browse/HIVE-6957
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> In HiveServer2, when Kerberos auth and binary transport modes are used, the 
> user name that gets passed on to authorization is the long kerberos username.
> The username that is used in grant/revoke statements tend to be the short 
> usernames.
> This also fails in authorizing statements that involve URI, as the 
> authorization mode checks the file system permissions for given user. It does 
> not recognize that the given long username actually owns the file or belongs 
> to the group that owns the file.
> 
> 
> Diffs
> -
> 
>   itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
> f7ec93d 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
>  62bfa1e 
>   
> itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java
>  PRE-CREATION 
>   
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  9e296de 
> 
> Diff: https://reviews.apache.org/r/20578/diff/
> 
> 
> Testing
> ---
> 
> Unit test included.
> 
> 
> Thanks,
> 
> Thejas Nair
> 
>

Review Request 20578: HIVE-6957 - SQL authorization does not work with HS2 binary mode and Kerberos auth

[Thejas Nair]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/20578/
---

Review request for hive, Ashutosh Chauhan and Vaibhav Gumashta.


Bugs: HIVE-6957
https://issues.apache.org/jira/browse/HIVE-6957


Repository: hive-git


Description
---

In HiveServer2, when Kerberos auth and binary transport modes are used, the 
user name that gets passed on to authorization is the long kerberos username.
The username that is used in grant/revoke statements tend to be the short 
usernames.
This also fails in authorizing statements that involve URI, as the 
authorization mode checks the file system permissions for given user. It does 
not recognize that the given long username actually owns the file or belongs to 
the group that owns the file.


Diffs
-

  itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
f7ec93d 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
 62bfa1e 
  
itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdcSQLAuth.java
 PRE-CREATION 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 9e296de 

Diff: https://reviews.apache.org/r/20578/diff/


Testing
---

Unit test included.


Thanks,

Thejas Nair