[jira] [Commented] (HIVE-12752) Change the schema version to 2.1.0
[ https://issues.apache.org/jira/browse/HIVE-12752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15072576#comment-15072576 ] Prasad Mujumdar commented on HIVE-12752: I believe you need to change the hive.version.shortname property in the top level pom as well. > Change the schema version to 2.1.0 > --- > > Key: HIVE-12752 > URL: https://issues.apache.org/jira/browse/HIVE-12752 > Project: Hive > Issue Type: Bug > Components: Metastore >Reporter: Shinichi Yamashita >Assignee: Shinichi Yamashita >Priority: Minor > Attachments: HIVE-12752.1.patch > > > When I saw hive-schema-2.1.0.postgres.sql, I confirmed that "SCHEMA_VERSION" > and "VERSION_COMMENT" were 2.0.0. > I change each value to 2.1.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11613) schematool should return non zero exit status for info command, if state is inconsistent
[ https://issues.apache.org/jira/browse/HIVE-11613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14706377#comment-14706377 ] Prasad Mujumdar commented on HIVE-11613: +1 for both patches schematool should return non zero exit status for info command, if state is inconsistent Key: HIVE-11613 URL: https://issues.apache.org/jira/browse/HIVE-11613 Project: Hive Issue Type: Bug Components: Metastore Affects Versions: 1.0.0, 1.1.1, 1.2.1 Reporter: Thejas M Nair Assignee: Thejas M Nair Attachments: HIVE-11613-1.0.patch, HIVE-11613.1.patch schematool -info just prints the version information, but it is not easy to consume the validity of the state from a tool as the exit code is 0 even if the schema version has mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-9625) Delegation tokens for HMS are not renewed
[ https://issues.apache.org/jira/browse/HIVE-9625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14601725#comment-14601725 ] Prasad Mujumdar commented on HIVE-9625: --- Thanks [~xuefuz] for rebasing the patch! +1 for both master and branch-1 patches. Delegation tokens for HMS are not renewed - Key: HIVE-9625 URL: https://issues.apache.org/jira/browse/HIVE-9625 Project: Hive Issue Type: Bug Components: HiveServer2 Reporter: Brock Noland Assignee: Brock Noland Attachments: HIVE-9625-branch-1.patch, HIVE-9625.1.patch, HIVE-9625.1.patch AFAICT the delegation tokens stored in [HiveSessionImplwithUGI |https://github.com/apache/hive/blob/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java#L45] for HMS + Impersonation are never renewed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10875) Select query with view in subquery adds underlying table as direct input
[ https://issues.apache.org/jira/browse/HIVE-10875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14568199#comment-14568199 ] Prasad Mujumdar commented on HIVE-10875: [~thejas] Thanks for catching the issue and patch. Looks fine to me. Select query with view in subquery adds underlying table as direct input Key: HIVE-10875 URL: https://issues.apache.org/jira/browse/HIVE-10875 Project: Hive Issue Type: Bug Reporter: Thejas M Nair Assignee: Thejas M Nair Fix For: 1.2.1 Attachments: HIVE-10875.1.patch, HIVE-10875.2.patch In the following case, {code} create view V as select * from T; select * from (select * from V) A; {code} The semantic analyzer inputs contain input table T as a direct input instead of adding it as an indirect input. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-10098) HS2 local task for map join fails in KMS encrypted cluster
[ https://issues.apache.org/jira/browse/HIVE-10098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14393557#comment-14393557 ] Prasad Mujumdar commented on HIVE-10098: +1 pending test run HS2 local task for map join fails in KMS encrypted cluster -- Key: HIVE-10098 URL: https://issues.apache.org/jira/browse/HIVE-10098 Project: Hive Issue Type: Bug Reporter: Yongzhi Chen Assignee: Yongzhi Chen Attachments: HIVE-10098.1.patch, HIVE-10098.2.patch Env: KMS was enabled after cluster was kerberos secured. Problem: PROBLEM: Any Hive query via beeline that performs a MapJoin fails with a java.lang.reflect.UndeclaredThrowableException from KMSClientProvider.addDelegationTokens. {code} 2015-03-18 08:49:17,948 INFO [main]: Configuration.deprecation (Configuration.java:warnOnceIfDeprecated(1022)) - mapred.input.dir is deprecated. Instead, use mapreduce.input.fileinputformat.inputdir 2015-03-18 08:49:19,048 WARN [main]: security.UserGroupInformation (UserGroupInformation.java:doAs(1645)) - PriviledgedActionException as:hive (auth:KERBEROS) cause:org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 2015-03-18 08:49:19,050 ERROR [main]: mr.MapredLocalTask (MapredLocalTask.java:executeFromChildJVM(314)) - Hive Runtime Error: Map local work failed java.io.IOException: java.io.IOException: java.lang.reflect.UndeclaredThrowableException at org.apache.hadoop.hive.ql.exec.FetchOperator.getNextRow(FetchOperator.java:634) at org.apache.hadoop.hive.ql.exec.mr.MapredLocalTask.startForward(MapredLocalTask.java:363) at org.apache.hadoop.hive.ql.exec.mr.MapredLocalTask.startForward(MapredLocalTask.java:337) at org.apache.hadoop.hive.ql.exec.mr.MapredLocalTask.executeFromChildJVM(MapredLocalTask.java:303) at org.apache.hadoop.hive.ql.exec.mr.ExecDriver.main(ExecDriver.java:735) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.hadoop.util.RunJar.main(RunJar.java:212) Caused by: java.io.IOException: java.lang.reflect.UndeclaredThrowableException at org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:826) at org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(KeyProviderDelegationTokenExtension.java:86) at org.apache.hadoop.hdfs.DistributedFileSystem.addDelegationTokens(DistributedFileSystem.java:2017) at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:121) at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:100) at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodes(TokenCache.java:80) at org.apache.hadoop.mapred.FileInputFormat.listStatus(FileInputFormat.java:205) at org.apache.hadoop.mapred.FileInputFormat.getSplits(FileInputFormat.java:313) at org.apache.hadoop.hive.ql.exec.FetchOperator.getRecordReader(FetchOperator.java:413) at org.apache.hadoop.hive.ql.exec.FetchOperator.getNextRow(FetchOperator.java:559) ... 9 more Caused by: java.lang.reflect.UndeclaredThrowableException at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1655) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(KMSClientProvider.java:808) ... 18 more Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:127) {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9828) Semantic analyzer does not capture view parent entity for tables referred in view with union all
[ https://issues.apache.org/jira/browse/HIVE-9828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prasad Mujumdar updated HIVE-9828: -- Attachment: HIVE-9828.2.patch Rebased with latest on trunk Semantic analyzer does not capture view parent entity for tables referred in view with union all - Key: HIVE-9828 URL: https://issues.apache.org/jira/browse/HIVE-9828 Project: Hive Issue Type: Bug Components: Parser Affects Versions: 1.1.0 Reporter: Prasad Mujumdar Assignee: Prasad Mujumdar Fix For: 1.2.0 Attachments: HIVE-9828.1-npf.patch, HIVE-9828.1-npf.patch, HIVE-9828.2.patch Hive compiler adds tables used in a view definition in the input entity list, with the view as parent entity for the table. In case of a view with union all query, this is not being done property. For example, {noformat} create view view1 as select t.id from (select tab1.id from db.tab1 union all select tab2.id from db.tab2 ) t; {noformat} This query will capture tab1 and tab2 as read entity without view1 as parent. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369942#comment-14369942 ] Prasad Mujumdar commented on HIVE-9934: --- Hive's SaslPlainServer actually throws an exception for empty or null password. When Hadoop implemented it's own plain Sasl server, we are potentially exposed to this LDAP vulnerability. The sasl service registration happens via static code block and hence we can't guarantee which Sasl server will be used. Anycase, since this is LDAP specific behavior, it's better to guard it in LDAP provider rather than depending on the underlying Sasl implementation. Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Fix For: 1.2.0 Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (HIVE-9828) Semantic analyzer does not capture view parent entity for tables referred in view with union all
[ https://issues.apache.org/jira/browse/HIVE-9828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prasad Mujumdar reassigned HIVE-9828: - Assignee: Prasad Mujumdar Semantic analyzer does not capture view parent entity for tables referred in view with union all - Key: HIVE-9828 URL: https://issues.apache.org/jira/browse/HIVE-9828 Project: Hive Issue Type: Bug Components: Parser Affects Versions: 1.1.0 Reporter: Prasad Mujumdar Assignee: Prasad Mujumdar Fix For: 1.2.0 Attachments: HIVE-9828.1-npf.patch, HIVE-9828.1-npf.patch Hive compiler adds tables used in a view definition in the input entity list, with the view as parent entity for the table. In case of a view with union all query, this is not being done property. For example, {noformat} create view view1 as select t.id from (select tab1.id from db.tab1 union all select tab2.id from db.tab2 ) t; {noformat} This query will capture tab1 and tab2 as read entity without view1 as parent. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9828) Semantic analyzer does not capture view parent entity for tables referred in view with union all
[ https://issues.apache.org/jira/browse/HIVE-9828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prasad Mujumdar updated HIVE-9828: -- Attachment: HIVE-9828.1-npf.patch Reattaching for pre-commit run Semantic analyzer does not capture view parent entity for tables referred in view with union all - Key: HIVE-9828 URL: https://issues.apache.org/jira/browse/HIVE-9828 Project: Hive Issue Type: Bug Components: Parser Affects Versions: 1.1.0 Reporter: Prasad Mujumdar Fix For: 1.2.0 Attachments: HIVE-9828.1-npf.patch, HIVE-9828.1-npf.patch Hive compiler adds tables used in a view definition in the input entity list, with the view as parent entity for the table. In case of a view with union all query, this is not being done property. For example, {noformat} create view view1 as select t.id from (select tab1.id from db.tab1 union all select tab2.id from db.tab2 ) t; {noformat} This query will capture tab1 and tab2 as read entity without view1 as parent. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14365839#comment-14365839 ] Prasad Mujumdar commented on HIVE-9934: --- That's fine. The test did get run in the pre-commit run for patch #3. sorry about the noise. +1 Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9828) Semantic analyzer does not capture view parent entity for tables referred in view with union all
[ https://issues.apache.org/jira/browse/HIVE-9828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prasad Mujumdar updated HIVE-9828: -- Attachment: HIVE-9828.1-npf.patch Semantic analyzer does not capture view parent entity for tables referred in view with union all - Key: HIVE-9828 URL: https://issues.apache.org/jira/browse/HIVE-9828 Project: Hive Issue Type: Bug Components: Parser Affects Versions: 1.1.0 Reporter: Prasad Mujumdar Attachments: HIVE-9828.1-npf.patch Hive compiler adds tables used in a view definition in the input entity list, with the view as parent entity for the table. In case of a view with union all query, this is not being done property. For example, {noformat} create view view1 as select t.id from (select tab1.id from db.tab1 union all select tab2.id from db.tab2 ) t; {noformat} This query will capture tab1 and tab2 as read entity without view1 as parent. -- This message was sent by Atlassian JIRA (v6.3.4#6332)