[hive] branch master updated: HIVE-21866: LLAP status service driver may get stuck with wrong Yarn app ID (Adam Szita, reviewed by Marta Kuczoram)

[szita]

This is an automated email from the ASF dual-hosted git repository.

szita pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
 new 145aec9  HIVE-21866: LLAP status service driver may get stuck with 
wrong Yarn app ID (Adam Szita, reviewed by Marta Kuczoram)
145aec9 is described below

commit 145aec9dcd28461ace938f3e87236d2c0c805182
Author: Adam Szita 
AuthorDate: Wed Jun 12 18:13:00 2019 +0200

HIVE-21866: LLAP status service driver may get stuck with wrong Yarn app ID 
(Adam Szita, reviewed by Marta Kuczoram)
---
 .../hive/llap/cli/status/LlapStatusServiceDriver.java   | 13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git 
a/llap-server/src/java/org/apache/hadoop/hive/llap/cli/status/LlapStatusServiceDriver.java
 
b/llap-server/src/java/org/apache/hadoop/hive/llap/cli/status/LlapStatusServiceDriver.java
index bd48af1..5eb0306 100644
--- 
a/llap-server/src/java/org/apache/hadoop/hive/llap/cli/status/LlapStatusServiceDriver.java
+++ 
b/llap-server/src/java/org/apache/hadoop/hive/llap/cli/status/LlapStatusServiceDriver.java
@@ -45,6 +45,7 @@ import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ApplicationReport;
 import org.apache.hadoop.yarn.api.records.ContainerExitStatus;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.service.api.records.Container;
 import org.apache.hadoop.yarn.service.api.records.Service;
@@ -205,7 +206,7 @@ public class LlapStatusServiceDriver {
   // Get the App report from YARN
   ApplicationReport appReport;
   try {
-appReport = getAppReport(appName, serviceClient, 
cl.getFindAppTimeoutMs());
+appReport = getAppReport(appName, cl.getFindAppTimeoutMs());
   } catch (LlapStatusCliException e) {
 logError(e);
 return e.getExitCode();
@@ -252,7 +253,7 @@ public class LlapStatusServiceDriver {
 }
   }
 
-  private ApplicationReport getAppReport(String appName, ServiceClient 
serviceClient, long timeoutMs)
+  private ApplicationReport getAppReport(String appName, long timeoutMs)
   throws LlapStatusCliException {
 Clock clock = SystemClock.getInstance();
 long startTime = clock.getTime();
@@ -281,7 +282,13 @@ public class LlapStatusServiceDriver {
 break;
   }
 }
-  } catch (Exception e) { // No point separating IOException vs 
YarnException vs others
+  } catch (Exception e) {
+if (e instanceof ApplicationNotFoundException) {
+  //This might happen when serviceClient caches an appId from the past 
which is now not
+  // valid (i.e. Yarn RM restart). This will force re-creation of 
service client in the
+  // next check (if watch mode is on..) which effectively invalidates 
such cache.
+  serviceClient = null;
+}
 throw new LlapStatusCliException(ExitCode.YARN_ERROR, "Failed to get 
Yarn AppReport", e);
   }
 }

[hive] branch master updated: HIVE-21783: Avoid authentication for connection from the same domain (Ashutosh Bapat reviewed by Olli Draese, Prasanth Jayachandran)

[prasanthj]

This is an automated email from the ASF dual-hosted git repository.

prasanthj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
 new 24313ab  HIVE-21783: Avoid authentication for connection from the same 
domain (Ashutosh Bapat reviewed by Olli Draese, Prasanth Jayachandran)
24313ab is described below

commit 24313ab962b2881317bdcb50e67e90d3da3a5cc2
Author: Prasanth Jayachandran 
AuthorDate: Thu Jun 13 01:36:39 2019 -0700

HIVE-21783: Avoid authentication for connection from the same domain 
(Ashutosh Bapat reviewed by Olli Draese, Prasanth Jayachandran)
---
 .../java/org/apache/hadoop/hive/conf/HiveConf.java |   8 +
 .../java/org/apache/hive/minikdc/MiniHiveKdc.java  |  23 ++-
 ...estImproperTrustDomainAuthenticationBinary.java |  28 +++
 .../TestImproperTrustDomainAuthenticationHttp.java |  28 +++
 .../auth/TestTrustDomainAuthenticationBinary.java  |  28 +++
 .../auth/TestTrustDomainAuthenticationHttp.java|  28 +++
 .../auth/TrustDomainAuthenticationTest.java| 192 +
 .../apache/hive/service/auth/HiveAuthFactory.java  |   5 +
 .../apache/hive/service/auth/PlainSaslHelper.java  |  54 ++
 .../hive/service/cli/thrift/ThriftHttpServlet.java |  53 --
 10 files changed, 422 insertions(+), 25 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 2cea174..03a8019 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3478,6 +3478,14 @@ public class HiveConf extends Configuration {
 "  (Use with property 
hive.server2.custom.authentication.class)\n" +
 "  PAM: Pluggable authentication module\n" +
 "  NOSASL:  Raw transport"),
+HIVE_SERVER2_TRUSTED_DOMAIN("hive.server2.trusted.domain", "",
+"Specifies the host or a domain to trust connections from. 
Authentication is skipped " +
+"for any connection coming from a host whose hostname ends with the 
value of this" +
+" property. If authentication is expected to be skipped for 
connections from " +
+"only a given host, fully qualified hostname of that host should be 
specified. By default" +
+" it is empty, which means that all the connections to HiveServer2 are 
authenticated. " +
+"When it is non-empty, the client has to provide a Hive user name. Any 
password, if " +
+"provided, will not be used when authentication is skipped."),
 
HIVE_SERVER2_ALLOW_USER_SUBSTITUTION("hive.server2.allow.user.substitution", 
true,
 "Allow alternate user to be specified as part of HiveServer2 open 
connection request."),
 
HIVE_SERVER2_KERBEROS_KEYTAB("hive.server2.authentication.kerberos.keytab", "",
diff --git 
a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java 
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
index 7d1192a..e604f90 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
@@ -36,6 +36,7 @@ import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hive.jdbc.miniHS2.MiniHS2;
 
 import com.google.common.io.Files;
+import org.apache.hive.service.server.HiveServer2;
 
 /**
  * Wrapper around Hadoop's MiniKdc for use in hive tests.
@@ -178,15 +179,21 @@ public class MiniHiveKdc {
   * @return new MiniHS2 instance
   * @throws Exception
   */
- public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf 
hiveConf,
+  public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf 
hiveConf,
  String authType) throws Exception {
-   String hivePrincipal =
-   
miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
-   String hiveKeytab = miniHiveKdc.getKeyTabFile(
-   
miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
-
-   return new MiniHS2.Builder().withConf(hiveConf).withMiniKdc(hivePrincipal, 
hiveKeytab).
-   withAuthenticationType(authType).build();
+String hivePrincipal =
+
miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+String hiveKeytab = miniHiveKdc.getKeyTabFile(
+
miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
+
+MiniHS2.Builder miniHS2Builder = new MiniHS2.Builder()
+  .withConf(hiveConf)
+  .withMiniKdc(hivePrincipal, 
hiveKeytab)
+  
.withAuthenticationType(authType);
+if (HiveServer2.isHTTPTransportMode(hiveConf)) {
+  miniHS2Builder.withHTTPTransport();
+}
+return miniHS2Builder.build();