Skip to content

A
atlas
Commit ed4ae0e3 by Suma Shivaprasad
Options

ATLAS-1364 HiveHook : Fix Auth issue with doAs (sumasai)

parent 765ce51c
Showing with 48 additions and 14 deletions
addons/hive-bridge/src/main/java/org/apache/atlas/hive/hook/HiveHook.java
...@@ -36,9 +36,6 @@ import org.apache.hadoop.hive.conf.HiveConf; ...@@ -36,9 +36,6 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.TableType; import org.apache.hadoop.hive.metastore.TableType;
import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.ql.QueryPlan;
import org.apache.hadoop.hive.ql.exec.ExplainTask;
import org.apache.hadoop.hive.ql.exec.Task;
import org.apache.hadoop.hive.ql.hooks.*; import org.apache.hadoop.hive.ql.hooks.*;
import org.apache.hadoop.hive.ql.hooks.Entity; import org.apache.hadoop.hive.ql.hooks.Entity;
import org.apache.hadoop.hive.ql.hooks.Entity.Type; import org.apache.hadoop.hive.ql.hooks.Entity.Type;
...@@ -50,6 +47,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; ...@@ -50,6 +47,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Partition;
import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.metadata.Table;
import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.shims.Utils;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.ShutdownHookManager; import org.apache.hadoop.util.ShutdownHookManager;
import org.json.JSONObject; import org.json.JSONObject;
...@@ -59,6 +57,7 @@ import org.slf4j.LoggerFactory; ...@@ -59,6 +57,7 @@ import org.slf4j.LoggerFactory;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URI; import java.net.URI;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Comparator; import java.util.Comparator;
import java.util.Date; import java.util.Date;
...@@ -73,6 +72,7 @@ import java.util.SortedMap; ...@@ -73,6 +72,7 @@ import java.util.SortedMap;
import java.util.SortedSet; import java.util.SortedSet;
import java.util.TreeMap; import java.util.TreeMap;
import java.util.TreeSet; import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.LinkedBlockingQueue; import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.ThreadPoolExecutor;
...@@ -170,14 +170,14 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { ...@@ -170,14 +170,14 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext {
public void run(final HookContext hookContext) throws Exception { public void run(final HookContext hookContext) throws Exception {
// clone to avoid concurrent access // clone to avoid concurrent access
try { try {
final HiveConf conf = new HiveConf(hookContext.getConf());
final HiveEventContext event = new HiveEventContext(); final HiveEventContext event = new HiveEventContext();
event.setInputs(hookContext.getInputs()); event.setInputs(hookContext.getInputs());
event.setOutputs(hookContext.getOutputs()); event.setOutputs(hookContext.getOutputs());
event.setHookType(hookContext.getHookType()); event.setHookType(hookContext.getHookType());
event.setUgi(hookContext.getUgi());
event.setUser(getUser(hookContext.getUserName())); final UserGroupInformation ugi = hookContext.getUgi() == null ? Utils.getUGI() : hookContext.getUgi();
event.setUgi(ugi);
event.setUser(getUser(hookContext.getUserName(), hookContext.getUgi()));
event.setOperation(OPERATION_MAP.get(hookContext.getOperationName())); event.setOperation(OPERATION_MAP.get(hookContext.getOperationName()));
event.setQueryId(hookContext.getQueryPlan().getQueryId()); event.setQueryId(hookContext.getQueryPlan().getQueryId());
event.setQueryStr(hookContext.getQueryPlan().getQueryStr()); event.setQueryStr(hookContext.getQueryPlan().getQueryStr());
...@@ -186,13 +186,31 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { ...@@ -186,13 +186,31 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext {
event.setLineageInfo(hookContext.getLinfo()); event.setLineageInfo(hookContext.getLinfo());
if (executor == null) { if (executor == null) {
fireAndForget(event); collect(event);
notifyAsPrivilegedAction(event);
} else { } else {
executor.submit(new Runnable() { executor.submit(new Runnable() {
@Override @Override
public void run() { public void run() {
try { try {
fireAndForget(event); ugi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
collect(event);
return event;
}
});
//Notify as 'hive' service user in Kerberos mode else will default to the current user - doAs mode
UserGroupInformation realUser = ugi.getRealUser();
if (realUser != null) {
LOG.info("Sending notification for event {} as service user {} ", event.getOperation(), realUser.getShortUserName());
realUser.doAs(notifyAsPrivilegedAction(event));
} else {
//Unsecure or without doAs
LOG.info("Sending notification for event {} as current user {} ", event.getOperation(), ugi.getShortUserName());
ugi.doAs(notifyAsPrivilegedAction(event));
}
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("Atlas hook failed due to error ", e); LOG.error("Atlas hook failed due to error ", e);
} }
...@@ -204,11 +222,21 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { ...@@ -204,11 +222,21 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext {
} }
} }
private void fireAndForget(HiveEventContext event) throws Exception { PrivilegedExceptionAction<Object> notifyAsPrivilegedAction(final HiveEventContext event) {
return new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
notifyEntities(event.getMessages());
return event;
}
};
}
private void collect(HiveEventContext event) throws Exception {
assert event.getHookType() == HookContext.HookType.POST_EXEC_HOOK : "Non-POST_EXEC_HOOK not supported!"; assert event.getHookType() == HookContext.HookType.POST_EXEC_HOOK : "Non-POST_EXEC_HOOK not supported!";
LOG.info("Entered Atlas hook for hook type {} operation {}", event.getHookType(), event.getOperation()); LOG.info("Entered Atlas hook for hook type {}, operation {} , user {} as {}", event.getHookType(), event.getOperation(), event.getUgi().getRealUser(), event.getUgi().getShortUserName());
HiveMetaStoreBridge dgiBridge = new HiveMetaStoreBridge(atlasProperties, hiveConf); HiveMetaStoreBridge dgiBridge = new HiveMetaStoreBridge(atlasProperties, hiveConf);
...@@ -280,8 +308,6 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext { ...@@ -280,8 +308,6 @@ public class HiveHook extends AtlasHook implements ExecuteWithHookContext {
default: default:
} }
notifyEntities(event.getMessages());
} }
private void deleteTable(HiveMetaStoreBridge dgiBridge, HiveEventContext event) { private void deleteTable(HiveMetaStoreBridge dgiBridge, HiveEventContext event) {
......
notification/src/main/java/org/apache/atlas/hook/AtlasHook.java
...@@ -189,18 +189,25 @@ public abstract class AtlasHook { ...@@ -189,18 +189,25 @@ public abstract class AtlasHook {
public static String getUser(String userName, UserGroupInformation ugi) { public static String getUser(String userName, UserGroupInformation ugi) {
if (StringUtils.isNotEmpty(userName)) { if (StringUtils.isNotEmpty(userName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Returning userName {} " + userName);
}
return userName; return userName;
} }
if (ugi != null && StringUtils.isNotEmpty(ugi.getShortUserName())) { if (ugi != null && StringUtils.isNotEmpty(ugi.getShortUserName())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Returning ugi.getShortUserName {} " + userName);
}
return ugi.getShortUserName(); return ugi.getShortUserName();
} }
try { try {
return UserGroupInformation.getCurrentUser().getShortUserName(); return UserGroupInformation.getCurrentUser().getShortUserName();
} catch (IOException e) { } catch (IOException e) {
LOG.warn("Failed for UserGroupInformation.getCurrentUser()"); LOG.warn("Failed for UserGroupInformation.getCurrentUser() ", e);
return System.getProperty("user.name"); return System.getProperty("user.name");
} }
} }
} }
release-log.txt
...@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al ...@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al
ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai) ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai)
ALL CHANGES: ALL CHANGES:
ATLAS-1364 HiveHook : Fix Auth issue with doAs (sumasai)
ATLAS-1340 Credential Provider utility does not work with fully qualified local/HDFS jceks path (vrathor via svimal2106) ATLAS-1340 Credential Provider utility does not work with fully qualified local/HDFS jceks path (vrathor via svimal2106)
ATLAS-1363 Upgrade front end maven plugin to 1.0 (sumasai) ATLAS-1363 Upgrade front end maven plugin to 1.0 (sumasai)
ATLAS-1358 NPE Fix for search filter changes & callAPI related fixes (apoorvnaik via sumasai) ATLAS-1358 NPE Fix for search filter changes & callAPI related fixes (apoorvnaik via sumasai)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment