Uploaded image for project: 'CDH (READ-ONLY)'
  1. CDH (READ-ONLY)
  2. DISTRO-886

Hive does not respect auth_to_local rules. Backport for HIVE-12981

          Details

          • Type: Bug
          • Status: Open
          • Priority: Major
          • Resolution: Unresolved
          • Affects Version/s: CDH 5.12.0
          • Fix Version/s: None
          • Component/s: Hive, Sentry
          • Environment:
            RHEL 7.5 - CDH 5.14.0

            Description

            I'm using the following auth_to_local rules:

            RULE:[1:$1@$0](.*@\QDOMAIN-B\E$)s///L
            RULE:[1:$1@$0](.*@\QDOMAIN-A\E$)s/@\QDOMAIN-A\E$///L
            RULE:[2:$1@$0](.*@\QDOMAIN-A\E$)s/@\QDOMAIN-A\E$//
            DEFAULT

            An example on how they works:

            Kerberos UPN            -> Hadoop ShortName
            -------------------------------------------
            userB@DOMAIN-B          -> userb@domain-b
            userA@DOMAIN-A          -> usera
            hdfs/hostname@DOMAIN-A  -> hdfs

            I've written these rules to mimic SSSD's behaviour (system service to map Active Directory users to local linux account that's gaining a lot of traction in RHEL7).

            My issue is that Hive does NOT respect the first rule: userB@DOMAIN-B is incorrectly mapped to userB instead of userb@domain-b. With this mapping the ShellBasedGroupMapping fails to resolve the correct groups and without the groups authorization in Sentry will not work.

            Here's a short example:

            $ klist
            Ticket cache: FILE:/tmp/krb5cc_0
            Default principal: userB@DOMAIN-B

            $ beeline --color=true -u "jdbc:hive2://hs2hostname:10000/default;principal=hive/
            Transaction isolation: TRANSACTION_REPEATABLE_READ
            Beeline version 1.1.0-cdh5.14.0 by Apache Hive
            0: jdbc:hive2://hs2hostname> set hive.access.subject.name;
            ---------------------------------------+
            | set |
            ---------------------------------------+
            | hive.access.subject.name=userb |
            ---------------------------------------+
            1 row selected (0.093 seconds)
            0: jdbc:hive2://hs2hostname> set hive.sentry.subject.name;
            ---------------------------------------+
            | set |
            ---------------------------------------+
            | hive.sentry.subject.name=userb |
            ---------------------------------------+
            1 row selected (0.021 seconds)

            This has also some security implications: userA@DOMAIN-B is incorrectly mapped to usera - a different users!!

            HDFS had the same issue which has been fixed in HADOOP-12751 (backported in CDH5.10+).
            With a little bit of googling I've found the following Hive issue HIVE-12981 that describes my issue exactly.

            Could you guys please backport the patch to CDH 5.x??

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    parnigot parnigot
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated: