[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14482699#comment-14482699 ] Lefty Leverenz commented on HIVE-10145: --- Does this need any documentation? set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14484690#comment-14484690 ] Thejas M Nair commented on HIVE-10145: -- I don't think this needs documentation, this is a the intuitive behavior. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14484706#comment-14484706 ] Lefty Leverenz commented on HIVE-10145: --- Thanks [~thejas]. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.0 Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14394139#comment-14394139 ] Hitesh Shah commented on HIVE-10145: No open jira. Can you please go ahead and create one? Thanks. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14394885#comment-14394885 ] Thejas M Nair commented on HIVE-10145: -- [~hitesh] Created TEZ-2277 to track the issue. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[
https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14395016#comment-14395016
]
Hive QA commented on HIVE-10145:
{color:red}Overall{color}: -1 at least one tests failed
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12709140/HIVE-10145.1.patch
{color:red}ERROR:{color} -1 due to 4 failed/errored test(s), 8699 tests executed
*Failed tests:*
{noformat}
TestCustomAuthentication - did not produce a TEST-*.xml file
TestMinimrCliDriver-smb_mapjoin_8.q - did not produce a TEST-*.xml file
org.apache.hadoop.hive.metastore.txn.TestCompactionTxnHandler.testRevokeTimedOutWorkers
org.apache.hive.jdbc.TestSSL.testSSLFetchHttp
{noformat}
Test results:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3273/testReport
Console output:
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3273/console
Test logs:
http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3273/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 4 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12709140 - PreCommit-HIVE-TRUNK-Build
set Tez ACLs appropriately in hive
--
Key: HIVE-10145
URL: https://issues.apache.org/jira/browse/HIVE-10145
Project: Hive
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Thejas M Nair
Attachments: HIVE-10145.1.patch
Hive should make the necessary changes to integrate with Tez and Timeline. It
should pass the necessary ACL related params to ensure that query execution +
logs is only visible to the relevant users.
Proposed Change -
Set DAG level ACL for user running the query (the end user), to allow modify
+ view
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14395125#comment-14395125 ] Thejas M Nair commented on HIVE-10145: -- [~hitesh] Does the patch look good to you, from a Tez perspective ? set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[
https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393933#comment-14393933
]
Thejas M Nair commented on HIVE-10145:
--
Thanks for the view [~vikram.dixit]. I did some manual testing to verify this
works.
[~hitesh] I think I have run into what looks like a Tez bug during tests.
Though I set the end user as the view and write user, the user does not get
added to the writers list.
GET
http://localhost:8188/ws/v1/timeline/domain/Tez_ATS_application_1428012550608_0017_hive_20150403011754_26c51eb0-6ef5-4f5a-8285-f14640b0c1b1:1
Gives -
{code}
{
id:
Tez_ATS_application_1428012550608_0017_hive_20150403011754_26c51eb0-6ef5-4f5a-8285-f14640b0c1b1:1,
owner: hive,
readers: hive,hrt_qa ,
writers: hive,
createdtime: 1428023886613,
modifiedtime: 1428023886613
}
{code}
I see that calls to getUsersWithModifyACLs are missing from
ATSHistoryACLPolicyManager.java, it has only calls to getUsersWithViewACLs. Is
there any existing bug tracking that issue ?
set Tez ACLs appropriately in hive
--
Key: HIVE-10145
URL: https://issues.apache.org/jira/browse/HIVE-10145
Project: Hive
Issue Type: Bug
Reporter: Thejas M Nair
Assignee: Thejas M Nair
Attachments: HIVE-10145.1.patch
Hive should make the necessary changes to integrate with Tez and Timeline. It
should pass the necessary ACL related params to ensure that query execution +
logs is only visible to the relevant users.
Proposed Change -
Set DAG level ACL for user running the query (the end user), to allow modify
+ view
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393917#comment-14393917 ] Vikram Dixit K commented on HIVE-10145: --- From hive side looks OK +1. Would be good to get a review from tez guys as well. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-10145.1.patch Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Change - Set DAG level ACL for user running the query (the end user), to allow modify + view -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10145) set Tez ACLs appropriately in hive
[ https://issues.apache.org/jira/browse/HIVE-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393900#comment-14393900 ] Thejas M Nair commented on HIVE-10145: -- After more thought, I feel it does not make sense to inherit the admin role users only in case when SQL Standard authorization is enabled, as that is just one of the possible authorization modes, that would be confusing. There is not much value I see in that added complexity. I will keep things simple and just let users set the AM level permissions using tez.am.*-acls properties. Only DAG level access control will be set from HiveServer2. This is to ensure that end users running queries with doAs=false still have access to the DAG information for DAGs corresponding to their query. Updating the proposal in description. set Tez ACLs appropriately in hive -- Key: HIVE-10145 URL: https://issues.apache.org/jira/browse/HIVE-10145 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Hive should make the necessary changes to integrate with Tez and Timeline. It should pass the necessary ACL related params to ensure that query execution + logs is only visible to the relevant users. Proposed Changes - Set session level tez ACL for a super user, to allow modify + view Set DAG level ACL for user running the query (the end user), to allow modify + view Determining the super user - Super user can be configured using using hive.tez.admin.user. This can be initialized by Authorization implementation (such as sql standard authorization) if it is not already set to a specific value. SQL standard authorization would initialize if it is unset to the sql standard admin user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
