[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16063660#comment-16063660 ] Vaibhav Gumashta commented on HIVE-16905: - [~txhsj] Thanks a lot for the patch and the document. In your patch, it appears that you are improving the unsecure cluster case. The current model is as follows: in a secure cluster (with kerberos), the znode for HiveServer2 is created with the ACLs: Read permission to everyone (the JDBC client needs this) and Create/Delete/Write/Admin to the SASL authenticated HiveServer2 user. In an unsecure cluster, the znode for HiveServer2 is created with Read/Create/Delete/Write/Admin access to all users. I have a few questions: what are the other authentication modes you plan to support with this (can you give an example)? How will that affect the interaction between JDBC - ZooKeeper and HiveServer2 - ZooKeeper? Also, in ZooKeeperHiveClientHelper, you are reading the config from Server's HiveConf. However, on the remote JDBC client machine, we do not have access to the Server's hive-site.xml (we also don't want JDBC client to depend on HiveConf - typically any configuration needed on the client side are passed through the JDBC connection string and dealt with appropriately in the JDBC driver - for example check how we pass the ZooKeeper namespace for HiveServer2 via the connection string). > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > -- > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > - > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[
https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16059585#comment-16059585
]
Hive QA commented on HIVE-16905:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12874089/HIVE%20ACL%20FOR%20HIVESERVER2.pdf
{color:red}ERROR:{color} -1 due to build exiting with an error
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/5733/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/5733/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-5733/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Tests exited with: NonZeroExitCodeException
Command 'bash /data/hiveptest/working/scratch/source-prep.sh' failed with exit
status 1 and output '+ date '+%Y-%m-%d %T.%3N'
2017-06-22 16:02:18.335
+ [[ -n /usr/lib/jvm/java-8-openjdk-amd64 ]]
+ export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
+ JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
+ export
PATH=/usr/lib/jvm/java-8-openjdk-amd64/bin/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
PATH=/usr/lib/jvm/java-8-openjdk-amd64/bin/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+ export 'ANT_OPTS=-Xmx1g -XX:MaxPermSize=256m '
+ ANT_OPTS='-Xmx1g -XX:MaxPermSize=256m '
+ export 'MAVEN_OPTS=-Xmx1g '
+ MAVEN_OPTS='-Xmx1g '
+ cd /data/hiveptest/working/
+ tee /data/hiveptest/logs/PreCommit-HIVE-Build-5733/source-prep.txt
+ [[ false == \t\r\u\e ]]
+ mkdir -p maven ivy
+ [[ git = \s\v\n ]]
+ [[ git = \g\i\t ]]
+ [[ -z master ]]
+ [[ -d apache-github-source-source ]]
+ [[ ! -d apache-github-source-source/.git ]]
+ [[ ! -d apache-github-source-source ]]
+ date '+%Y-%m-%d %T.%3N'
2017-06-22 16:02:18.338
+ cd apache-github-source-source
+ git fetch origin
>From https://github.com/apache/hive
71f52d8..7819cd3 master -> origin/master
+ git reset --hard HEAD
HEAD is now at 71f52d8 HIVE-16875: Query against view with partitioned child on
HoS fails with privilege exception. (Yongzhi Chen, reviewed by Aihua Xu)
+ git clean -f -d
+ git checkout master
Already on 'master'
Your branch is behind 'origin/master' by 1 commit, and can be fast-forwarded.
(use "git pull" to update your local branch)
+ git reset --hard origin/master
HEAD is now at 7819cd3 HIVE-16867: Extend shared scan optimizer to reuse
computation from other operators (Jesus Camacho Rodriguez, reviewed by Ashutosh
Chauhan)
+ git merge --ff-only origin/master
Already up-to-date.
+ date '+%Y-%m-%d %T.%3N'
2017-06-22 16:02:21.598
+ patchCommandPath=/data/hiveptest/working/scratch/smart-apply-patch.sh
+ patchFilePath=/data/hiveptest/working/scratch/build.patch
+ [[ -f /data/hiveptest/working/scratch/build.patch ]]
+ chmod +x /data/hiveptest/working/scratch/smart-apply-patch.sh
+ /data/hiveptest/working/scratch/smart-apply-patch.sh
/data/hiveptest/working/scratch/build.patch
patch: Only garbage was found in the patch input.
patch: Only garbage was found in the patch input.
patch: Only garbage was found in the patch input.
fatal: unrecognized input
The patch does not appear to apply with p0, p1, or p2
+ exit 1
'
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12874089 - PreCommit-HIVE-Build
> Add zookeeper ACL for hiveserver2
> -
>
> Key: HIVE-16905
> URL: https://issues.apache.org/jira/browse/HIVE-16905
> Project: Hive
> Issue Type: New Feature
>Affects Versions: 3.0.0
>Reporter: Saijin Huang
>Assignee: Saijin Huang
> Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf
>
>
> Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode
> of hiveserver2 deleted by accident.
> --
> case:
> when i do beeline connections throught hive HA with zookeeper, i suddenly
> find the beeline can not connect the hiveserve2.The reason of the problem is
> that others delete the /hiveserver2 falsely which cause to the beeline
> connection is failed and can not read the configs from zookeeper.
> -
> as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa
> which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is
> unsafe and necessary to protect the znode /hiveserver2.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16059453#comment-16059453 ] Saijin Huang commented on HIVE-16905: - the doc is updated. > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch, HIVE ACL FOR HIVESERVER2.pdf > > > Add zookeeper ACL for hiveserver2 is necessary for hive to protect the znode > of hiveserver2 deleted by accident. > -- > case: > when i do beeline connections throught hive HA with zookeeper, i suddenly > find the beeline can not connect the hiveserve2.The reason of the problem is > that others delete the /hiveserver2 falsely which cause to the beeline > connection is failed and can not read the configs from zookeeper. > - > as a result of the acl of /hiveserver2, the acl is set to world:anyone:cdrwa > which meant to anyone easily delete the /hiveserver2 and znodes anytime.It is > unsafe and necessary to protect the znode /hiveserver2. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HIVE-16905) Add zookeeper ACL for hiveserver2
[ https://issues.apache.org/jira/browse/HIVE-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16050042#comment-16050042 ] Thejas M Nair commented on HIVE-16905: -- [~txhsj] Do you have any use cases in mind where current defaults are not suitable ? > Add zookeeper ACL for hiveserver2 > - > > Key: HIVE-16905 > URL: https://issues.apache.org/jira/browse/HIVE-16905 > Project: Hive > Issue Type: New Feature >Affects Versions: 3.0.0 >Reporter: Saijin Huang >Assignee: Saijin Huang > Attachments: HIVE-16905.1.patch > > > Add zookeeper ACL for hiveserver2 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
