hive icon indicating copy to clipboard operation
hive copied to clipboard
verified publisher icon apache

HIVE-29293: Restrict config 'mapreduce.job.queuename' at tez session

Open saihemanth-cloudera opened this issue 1 month ago • 3 comments

What changes were proposed in this pull request?

Verify config 'mapreduce.job.queuename' value, if tez.queue.name is null.

Why are the changes needed?

When tez.queue.name is null, setting 'mapreduce.job.queuename' creates security issue because any user can submit job to this queue. TezSessionPoolManager is currently not verifying the queue since null is being passed. This patch addresses this concern by verifying that if tez.queue.name is null, then we verify 'mapreduce.job.queuename'.

Does this PR introduce any user-facing change?

No

How was this patch tested?

Remote cluster.

saihemanth-cloudera avatar Oct 27 '25 23:10 saihemanth-cloudera

@sourcery-ai review

pdabre12 avatar Oct 28 '25 21:10 pdabre12

Sorry @pdabre12, your pull request is larger than the review limit of 150000 diff characters

sourcery-ai[bot] avatar Oct 28 '25 21:10 sourcery-ai[bot]

Sorry @pdabre12, your pull request is larger than the review limit of 150000 diff characters

SourceryAI avatar Oct 28 '25 21:10 SourceryAI

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: BryanCutler / name: Bryan Cutler (9646f97bd03132661c687263b945580d866b7e51)
  • :white_check_mark: login: pdabre12 / name: Pratik Joseph Dabre (03ad525c1f5bdfac5c9e90feb8230b3510ec304f, 21bb5c55ec2659f69c21fc7fab0a6e1e7440e743, 27d612d1be84477b82313423d59450eb48859e12, 3fa5e1ddeed1740b16cba45c220f7d7126453577, 7e18e43f98d0608d03d0323f904d2dfd5ef8cdfb, cb57e46edb87291378e615f526cce3a7bef56ca3, f3de9c06e8105505ab9b815b128d55ba0af94dec)

linux-foundation-easycla[bot] avatar Nov 03 '25 21:11 linux-foundation-easycla[bot]

Is the proposed design to run the Flight server as a plugin in the single node Java coordinator itself. Does all the data fetch happen through the Java coordinator itself then?

elbinpallimalilibm avatar Dec 11 '25 17:12 elbinpallimalilibm

Is the proposed design to run the Flight server as a plugin in the single node Java coordinator itself. Does all the data fetch happen through the Java coordinator itself then?

@elbinpallimalilibm The proposed design is to have a separate Flight server shim—a lightweight Java process—running independently. The data fetching would occur through this process. We use a similar connector plugin loading logic as in a Java coordinator. Please check out the RFC for the details ofthe design : https://github.com/prestodb/rfcs/blob/main/RFC-0018-java-connector-federation.md

pdabre12 avatar Dec 13 '25 00:12 pdabre12

When would having a Presto CPP worker + Arrow Flight connector + Java Flight server shim be more advantageous than Presto Java worker with JDBC connector.

elbinpallimalilibm avatar Dec 18 '25 05:12 elbinpallimalilibm

When would having a Presto CPP worker + Arrow Flight connector + Java Flight server shim be more advantageous than Presto Java worker with JDBC connector.

@elbinpallimalilibm : This design eliminates Presto Java worker by implementing Java flight server shim to load Presto java connectors directly using plugin mechanism. This helps us retain only limited code from the Presto Java worker allowing us to deprecate it sooner.

aditi-pandit avatar Dec 18 '25 05:12 aditi-pandit