[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14482699#comment-14482699 ] Lefty Leverenz commented on HIVE-10145: --- Does this need any documentation? set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14484690#comment-14484690 ] Thejas M Nair commented on HIVE-10145: -- I don't think this needs documentation, this is a the intuitive behavior. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14484706#comment-14484706 ] Lefty Leverenz commented on HIVE-10145: --- Thanks [~thejas]. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14394139#comment-14394139 ] Hitesh Shah commented on HIVE-10145: No open jira. Can you please go ahead and create one? Thanks. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14394885#comment-14394885 ] Thejas M Nair commented on HIVE-10145: -- [~hitesh] Created TEZ-2277 to track the issue. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14395016#comment-14395016 ] Hive QA commented on HIVE-10145: {color:red}Overall{color}: -1 at least one tests failed Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12709140/HIVE-10145.1.patch {color:red}ERROR:{color} -1 due to 4 failed/errored test(s), 8699 tests executed *Failed tests:* {noformat} TestCustomAuthentication - did not produce a TEST-*.xml file TestMinimrCliDriver-smb_mapjoin_8.q - did not produce a TEST-*.xml file org.apache.hadoop.hive.metastore.txn.TestCompactionTxnHandler.testRevokeTimedOutWorkers org.apache.hive.jdbc.TestSSL.testSSLFetchHttp {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3273/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3273/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3273/ Messages: {noformat} Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 4 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12709140 - PreCommit-HIVE-TRUNK-Build set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14395125#comment-14395125 ] Thejas M Nair commented on HIVE-10145: -- [~hitesh] Does the patch look good to you, from a Tez perspective ? set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393933#comment-14393933 ] Thejas M Nair commented on HIVE-10145: -- Thanks for the view [~vikram.dixit]. I did some manual testing to verify this works. [~hitesh] I think I have run into what looks like a Tez bug during tests. Though I set the end user as the view and write user, the user does not get added to the writers list. GET http://localhost:8188/ws/v1/timeline/domain/Tez_ATS_application_1428012550608_0017_hive_20150403011754_26c51eb0-6ef5-4f5a-8285-f14640b0c1b1:1 Gives - {code} { id: Tez_ATS_application_1428012550608_0017_hive_20150403011754_26c51eb0-6ef5-4f5a-8285-f14640b0c1b1:1, owner: hive, readers: hive,hrt_qa , writers: hive, createdtime: 1428023886613, modifiedtime: 1428023886613 } {code} I see that calls to getUsersWithModifyACLs are missing from ATSHistoryACLPolicyManager.java, it has only calls to getUsersWithViewACLs. Is there any existing bug tracking that issue ? set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393917#comment-14393917 ] Vikram Dixit K commented on HIVE-10145: --- From hive side looks OK +1. Would be good to get a review from tez guys as well. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393900#comment-14393900 ] Thejas M Nair commented on HIVE-10145: -- After more thought, I feel it does not make sense to inherit the admin role users only in case when SQL Standard authorization is enabled, as that is just one of the possible authorization modes, that would be confusing. There is not much value I see in that added complexity. I will keep things simple and just let users set the AM level permissions using tez.am.*-acls properties. Only DAG level access control will be set from HiveServer2. This is to ensure that end users running queries with doAs=false still have access to the DAG information for DAGs corresponding to their query. Updating the proposal in description. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Changes - Set session level tez ACL for a super user, to allow modify + view Set DAG level ACL for user running the query (the end user), to allow modify + view Determining the super user - Super user can be configured using using hive.tez.admin.user. This can be initialized by Authorization implementation (such as sql standard authorization) if it is not already set to a specific value. SQL standard authorization would initialize if it is unset to the sql standard admin user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)