spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Himangshu Borah (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SPARK-5159) Thrift server does not respect hive.server2.enable.doAs=true
Date Sat, 28 Jan 2017 13:54:25 GMT

    [ https://issues.apache.org/jira/browse/SPARK-5159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15844068#comment-15844068
] 

Himangshu Borah commented on SPARK-5159:
----------------------------------------

This issue is not resolved. Found the same in spark 1.6.2. In a kerberos environment, where
the spark-thrift and hiveServer2 processes are running through a user (User "hive" in my case),
any command executed through the thrift is getting executed by that user("hive" in my case).
But we are trying to impersonate the request as another user "Buser" as the table used in
the query has access to "Buser" only.

How I am using -
beeline> !connect jdbc:hive2://<IP>:<port_for_thrift>/default;principal=hive/something.com@something.com;hive.server2.proxy.user=Buser;

And executing a select command on an existing table. The location for table have permission
like -
Buser:hdfs:drwx------     (700 permission for the owner only)

Getting response -
Error: org.apache.hadoop.hive.ql.metadata.HiveException: Unable to fetch table example_table.
org.apache.hadoop.security.AccessControlException: Permission denied: user=hive, access=EXECUTE,
inode="/apps/hive/warehouse/some.db/example_table":Buser:hdfs:drwx------
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChecker.java:259)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:205)

But same query is executing fine if we use the hive-thrift.
The spark thrift is not respecting the property property hive.server2.proxy.user=Buser; and
trying to execute the query with the user owning the spark-thrift process.

> Thrift server does not respect hive.server2.enable.doAs=true
> ------------------------------------------------------------
>
>                 Key: SPARK-5159
>                 URL: https://issues.apache.org/jira/browse/SPARK-5159
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.2.0
>            Reporter: Andrew Ray
>         Attachments: spark_thrift_server_log.txt
>
>
> I'm currently testing the spark sql thrift server on a kerberos secured cluster in YARN
mode. Currently any user can access any table regardless of HDFS permissions as all data is
read as the hive user. In HiveServer2 the property hive.server2.enable.doAs=true causes all
access to be done as the submitting user. We should do the same.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message