Details
Description
The HiveCLI HoS code relies on the system property user.name when performing impersonations. The code decides to do an impersonation if the user.name system property does not match the current user who is launching the HiveCLI client. However, when confronted with a long user name, some shells and linux distros may opt to truncate the user name to a certain size to conserve screen space. In these scenarios, the current user name does not match the user.name system property and never will, so impersonation will always happen, even though the user is trying to impersonate themselves. If YARN is not setup to allow the current user to impersonate, YARN will reject the request.
if (hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) { try { String currentUser = Utils.getUGI().getShortUserName(); // do not do impersonation in CLI mode if (!currentUser.equals(System.getProperty("user.name"))) { LOG.info("Attempting impersonation of " + currentUser); addProxyUser(currentUser); } } catch (Exception e) { String msg = "Cannot obtain username: " + e; throw new IllegalStateException(msg, e); } }
Assuming a kerberos enabled environment, the error message in the YARN Resource Manager will be:
my-really-really-long-user-name@HADOOP.DOMAIN.COM is not allowed to impersonate my-really-really-long-user-name