hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <>
Subject [jira] [Commented] (HIVE-11734) Hive Server2 not impersonating HDFS for CREATE TABLE/DATABASE with KERBEROS auth
Date Fri, 04 Sep 2015 16:13:45 GMT


Thejas M Nair commented on HIVE-11734:

Can you try starting hiveserver2 with embedded metastore ? 
hiveserver2 -hiveconf hive.metastore.uris=' ' ..

(For historical reasons, at hortonworks we have stuck to using metastore in embedded mode
with HS2 and our system tests are run in that mode.  I haven't seen this issue in that mode).

> Hive Server2 not impersonating HDFS for CREATE TABLE/DATABASE with KERBEROS auth
> --------------------------------------------------------------------------------
>                 Key: HIVE-11734
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 1.1.1
>            Reporter: Jakub Pastuszek
> My configuration is as follows:
> {code}
> hive-site.xml:
> hive.server2.enable.doAs=true
> hive.metastore.execute.setugi=true
> hive.metastore.sasl.enabled=true
> hive.server2.authentication=KERBEROS
> hive.server2.thrift.sasl.qop=auth-conf
> hive.warehouse.subdir.inherit.perms=false
> ...
> hdfs-site.xml:
> dfs.block.access.token.enable=true
> fs.permissions.umask-mode=027
> ...
> core-site.xml:
> hadoop.proxyuser.hive.hosts=localhost,master
> hadoop.proxyuser.hive.groups=*
> ...
> {code}
> When I create a database or a table using Kerberos authorised (kinit) user account and
beeline (shell) the HDFS directories created by Hive are owned by 'hive' user and group is
same as for parent directory ('data' in my case) ('hive' user does not even belong to that
group at all but it is in supergroup).
> Now when I try to load the data (or do any other map-reduce) the table files end up owned
as the kinit'ed user and the actual user running Yarn container is the kinit'ed user (not
> This is causing a permission issues when I run queries that do map-reduce since I don't
own the database and table directories.
> Also this allows anybody to drop my database/table since this operation is performed
as 'hive' user which is in the supergroup.
> What I want to get is DDL queries to use kinit'ed user when accessing HDFS so database/table
directories end up being owned as that user.
> Is this a bug or configuration problem? 
> Also the group should be users primary group (inherit.perms=false) and not group of the
parent directory. This way I can use owner/group authorisation on HDFS to grant/restrict access
using groups.
> As it stands it is serious security issue and also renders the whole doAs/impersonation
system useless for me.
> Also see my question on Serverfault:
> Versions:
> {code}
> hadoop-0.20-mapreduce-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-client-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-hdfs-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-hdfs-namenode-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-mapreduce-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-mapreduce-historyserver-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-yarn-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hadoop-yarn-resourcemanager-2.6.0+cdh5.4.4+597-1.cdh5.4.4.p0.6.el6.x86_64
> hive-1.1.0+cdh5.4.4+157-1.cdh5.4.4.p0.6.el6.noarch
> hive-jdbc-1.1.0+cdh5.4.4+157-1.cdh5.4.4.p0.6.el6.noarch
> hive-metastore-1.1.0+cdh5.4.4+157-1.cdh5.4.4.p0.6.el6.noarch
> hive-server2-1.1.0+cdh5.4.4+157-1.cdh5.4.4.p0.6.el6.noarch
> {code}

This message was sent by Atlassian JIRA

View raw message