[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16063660#comment-16063660 ] Vaibhav Gumashta commented on HIVE-16905: - [~txhsj] Thanks a lot for the patch and the document. In your patch, it appears that you are improving the unsecure cluster case. The current model is as follows: in a secure cluster (with kerberos), the znode for HiveServer2 is created with the ACLs: Read permission to everyone (the JDBC client needs this) and Create/Delete/Write/Admin to the SASL authenticated HiveServer2 user. In an unsecure cluster, the znode for HiveServer2 is created with Read/Create/Delete/Write/Admin access to all users. I have a few questions: what are the other authentication modes you plan to support with this (can you give an example)? How will that affect the interaction between JDBC - ZooKeeper and HiveServer2 - ZooKeeper? Also, in ZooKeeperHiveClientHelper, you are reading the config from Server's HiveConf. However, on the remote JDBC client machine, we do not have access to the Server's hive-site.xml (we also don't want JDBC client to depend on HiveConf - typically any configuration needed on the client side are passed through the JDBC connection string and dealt with appropriately in the JDBC driver - for example check how we pass the ZooKeeper namespace for HiveServer2 via the connection string). > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > -- > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > - > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16059585#comment-16059585 ] Hive QA commented on HIVE-16905: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12874089/HIVE%20ACL%20FOR%20HIVESERVER2.pdf {color:red}ERROR:{color} -1 due to build exiting with an error Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/5733/testReport Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/5733/console Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-5733/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Tests exited with: NonZeroExitCodeException Command 'bash /data/hiveptest/working/scratch/source-prep.sh' failed with exit status 1 and output '+ date '+%Y-%m-%d %T.%3N' 2017-06-22 16:02:18.335 + [[ -n /usr/lib/jvm/java-8-openjdk-amd64 ]] + export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 + JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 + export PATH=/usr/lib/jvm/java-8-openjdk-amd64/bin/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + PATH=/usr/lib/jvm/java-8-openjdk-amd64/bin/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + export 'ANT_OPTS=-Xmx1g -XX:MaxPermSize=256m ' + ANT_OPTS='-Xmx1g -XX:MaxPermSize=256m ' + export 'MAVEN_OPTS=-Xmx1g ' + MAVEN_OPTS='-Xmx1g ' + cd /data/hiveptest/working/ + tee /data/hiveptest/logs/PreCommit-HIVE-Build-5733/source-prep.txt + [[ false == \t\r\u\e ]] + mkdir -p maven ivy + [[ git = \s\v\n ]] + [[ git = \g\i\t ]] + [[ -z master ]] + [[ -d apache-github-source-source ]] + [[ ! -d apache-github-source-source/.git ]] + [[ ! -d apache-github-source-source ]] + date '+%Y-%m-%d %T.%3N' 2017-06-22 16:02:18.338 + cd apache-github-source-source + git fetch origin >From https://github.com/apache/hive 71f52d8..7819cd3 master -> origin/master + git reset --hard HEAD HEAD is now at 71f52d8 HIVE-16875: Query against view with partitioned child on HoS fails with privilege exception. (Yongzhi Chen, reviewed by Aihua Xu) + git clean -f -d + git checkout master Already on 'master' Your branch is behind 'origin/master' by 1 commit, and can be fast-forwarded. (use "git pull" to update your local branch) + git reset --hard origin/master HEAD is now at 7819cd3 HIVE-16867: Extend shared scan optimizer to reuse computation from other operators (Jesus Camacho Rodriguez, reviewed by Ashutosh Chauhan) + git merge --ff-only origin/master Already up-to-date. + date '+%Y-%m-%d %T.%3N' 2017-06-22 16:02:21.598 + patchCommandPath=/data/hiveptest/working/scratch/smart-apply-patch.sh + patchFilePath=/data/hiveptest/working/scratch/build.patch + [[ -f /data/hiveptest/working/scratch/build.patch ]] + chmod +x /data/hiveptest/working/scratch/smart-apply-patch.sh + /data/hiveptest/working/scratch/smart-apply-patch.sh /data/hiveptest/working/scratch/build.patch patch: Only garbage was found in the patch input. patch: Only garbage was found in the patch input. patch: Only garbage was found in the patch input. fatal: unrecognized input The patch does not appear to apply with p0, p1, or p2 + exit 1 ' {noformat} This message is automatically generated. ATTACHMENT ID: 12874089 - PreCommit-HIVE-Build > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > -- > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > - > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16059453#comment-16059453 ] Saijin Huang commented on HIVE-16905: - the doc is updated. > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > -- > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > - > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16050042#comment-16050042 ] Thejas M Nair commented on HIVE-16905: -- [~txhsj] Do you have any use cases in mind where current defaults are not suitable ? > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch > > > Add zookeeper ACL for hiveserver2 -- This message was sent by Atlassian JIRA (v6.4.14#64029)