Hive: The principal used by the Hive Metastore should be allowed to impersonate users

TOSIT-IO / tdp-collection

Ansible collection to deploy the components of TDP

Apache License 2.0

21 stars 19 forks source link

Hive: The principal used by the Hive Metastore should be allowed to impersonate users #347

Closed Nuttymoon closed 2 years ago

Nuttymoon commented 2 years ago

The Hive Metastore is currently running with the principal hive_ms/_HOST@REALM. Therefore it is not impacted by the auth_to_local rule:

RULE:[2:$1/$2@$0](hive/.*@{{ realm }})s/.*/hive/

When running Spark SQL queries, we end up with the error:

hive_ms/master-03.tdp@REALM.TDP is not allowed to impersonate tdp_user@REALM.TDP

The Hive Metastore should be able to impersonate users. Also, I don't understand why the Metastore is running with a different principal than the Hive Server. For me both should use hive/_HOST.

leopaul36 commented 2 years ago

I agree that the Metastore should run with principal hive

nschung commented 2 years ago

This is conceptual choice. The idea is to create the independency between the Hive Metastore and Hive Server. Hive Metastore can be installed without Hive Server. We can keep the hive_ms principal by adding the auth_to_local mapping rule.

Nuttymoon commented 2 years ago

I am not very convinced on changing the behavior that was followed by both CDH and HDP and now CDP, which is having a single hive principal. This might trouble users coming from CDH, HDP and CDP and this also complicates the auth_to_local rules.

See:

~~Btw I think the same of Ranger principals rangeradmin, rangerlookup and rangerusersync.~~ (My bad there, Cloudera is using the same principals for Ranger)

Nuttymoon commented 2 years ago

Maybe we should create a discussion about this?

Nuttymoon commented 2 years ago

I am not very convinced on changing the behavior that was followed by both CDH and HDP and now CDP, which is having a single hive principal. This might trouble users coming from CDH, HDP and CDP and this also complicates the auth_to_local rules.

See:
* HDP: [Creating Service Principals and Keytab Files for HDP](https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.3/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html)

* CDP: [Hadoop Users (user:group) and Kerberos Principals](https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm_sg_cm_users_principals.html).
Btw I think the same of Ranger principals rangeradmin, rangerlookup and rangerusersync.

@rpignolet @mehdibn what's your input on this?

rpignolet commented 2 years ago

I vote to do the same as Cloudera.

mehdibn commented 2 years ago

I vote to do the same as @rpignolet :)