[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15265244#comment-15265244 ] Lefty Leverenz commented on HIVE-13447: --- Doc note: This adds *hive.llap.validate.acls* to HiveConf.java, so it will need to be documented in the LLAP section of Configuration Properties for release 2.1.0. * [Configuration Properties -- LLAP | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-LLAP] > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Labels: TODOC2.1 > Fix For: 2.1.0 > > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15263364#comment-15263364 ] Prasanth Jayachandran commented on HIVE-13447: -- +1 > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15261241#comment-15261241 ] Sergey Shelukhin commented on HIVE-13447: - [~prasanth_j] [~sseth] ping? > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15257453#comment-15257453 ] Sergey Shelukhin commented on HIVE-13447: - Test failures are unrelated. > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15256109#comment-15256109 ] Hive QA commented on HIVE-13447: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12800319/HIVE-13447.01.patch {color:red}ERROR:{color} -1 due to no test(s) being added or modified. {color:red}ERROR:{color} -1 due to 41 failed/errored test(s), 9924 tests executed *Failed tests:* {noformat} TestHWISessionManager - did not produce a TEST-*.xml file TestMiniTezCliDriver-enforce_order.q-vector_partition_diff_num_cols.q-unionDistinct_1.q-and-12-more - did not produce a TEST-*.xml file TestMiniTezCliDriver-vectorized_parquet.q-vector_decimal_aggregate.q-tez_self_join.q-and-12-more - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_auto_sortmerge_join_2 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_index_auto_mult_tables org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_index_bitmap3 org.apache.hadoop.hive.metastore.TestAuthzApiEmbedAuthorizerInRemote.org.apache.hadoop.hive.metastore.TestAuthzApiEmbedAuthorizerInRemote org.apache.hadoop.hive.metastore.TestFilterHooks.org.apache.hadoop.hive.metastore.TestFilterHooks org.apache.hadoop.hive.metastore.TestMetaStoreEndFunctionListener.testEndFunctionListener org.apache.hadoop.hive.metastore.TestMetaStoreEventListenerOnlyOnCommit.testEventStatus org.apache.hadoop.hive.metastore.TestMetaStoreInitListener.testMetaStoreInitListener org.apache.hadoop.hive.metastore.TestMetaStoreMetrics.org.apache.hadoop.hive.metastore.TestMetaStoreMetrics org.apache.hadoop.hive.metastore.TestPartitionNameWhitelistValidation.testAppendPartitionWithValidCharacters org.apache.hadoop.hive.metastore.TestRetryingHMSHandler.testRetryingHMSHandler org.apache.hadoop.hive.ql.security.TestClientSideAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestExtendedAcls.org.apache.hadoop.hive.ql.security.TestExtendedAcls org.apache.hadoop.hive.ql.security.TestFolderPermissions.org.apache.hadoop.hive.ql.security.TestFolderPermissions org.apache.hadoop.hive.ql.security.TestMetastoreAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener.org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener org.apache.hadoop.hive.ql.security.TestStorageBasedClientSideAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationDrops.testDropDatabase org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationDrops.testDropPartition org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationDrops.testDropTable org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProviderWithACL.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbFailure org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbSuccess org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadTableFailure org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testDelegationTokenSharedStore org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testMetastoreProxyUser org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testSaslWithHiveMetaStore org.apache.hive.beeline.TestSchemaTool.testSchemaInit org.apache.hive.hcatalog.api.repl.commands.TestCommands.org.apache.hive.hcatalog.api.repl.commands.TestCommands org.apache.hive.hcatalog.listener.TestDbNotificationListener.dropTable org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testConnection org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testIsValid org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testIsValidNeg org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testNegativeProxyAuth org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testNegativeTokenAuth org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testProxyAuth org.apache.hive.minikdc.TestJdbcWithDBTokenStore.testTokenAuth {noformat} Test results: http://ec2-54-177-240-2.us-west-1.compute.amazonaws.com/job/PreCommit-HIVE-MASTER-Build/71/testReport Console output: http://ec2-54-177-240-2.us-west-1.compute.amazonaws.com/job/PreCommit-HIVE-MASTER-Build/71/console Test logs: http://ec2-50-18-27-0.us-west-1.compute.amazonaws.com/logs/PreCommit-HIVE-MASTER-Build-71/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 41 tests failed {noformat} This message is automatically generated.
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15255032#comment-15255032 ] Sergey Shelukhin commented on HIVE-13447: - No, there's a separate (linked) JIRA for that > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15255018#comment-15255018 ] Siddharth Seth commented on HIVE-13447: --- Does this also cover the ZK path used by the ZKSecretManager ? > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.01.patch, HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15253360#comment-15253360 ] Prasanth Jayachandran commented on HIVE-13447: -- Approach lgtm, +1 > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15253359#comment-15253359 ] Prasanth Jayachandran commented on HIVE-13447: -- Use zooKeeperClient.usingNamespace(null).getACL()? > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15253170#comment-15253170 ] Sergey Shelukhin commented on HIVE-13447: - Actually this probably won't work as is. The path returned is the full path, but the getACLs will namespace the path. Looks like we'd either need to unnamespace the path, or get our own ZK client. > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13447) LLAP: check ZK acls for registry and fail if they are too permissive
[ https://issues.apache.org/jira/browse/HIVE-13447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15252875#comment-15252875 ] Sergey Shelukhin commented on HIVE-13447: - [~prasanth_j] can you take a look? > LLAP: check ZK acls for registry and fail if they are too permissive > > > Key: HIVE-13447 > URL: https://issues.apache.org/jira/browse/HIVE-13447 > Project: Hive > Issue Type: Bug >Reporter: Sergey Shelukhin >Assignee: Sergey Shelukhin > Attachments: HIVE-13447.patch > > > Only the current ("hive") user can have write access. -- This message was sent by Atlassian JIRA (v6.3.4#6332)