Made sudo-less mode configurable. Haven't tested yet, will push another commit after testing, and add documentation for configuring sudo when that is what you want to use.

hercynium · hercynium · commit b78ac9dd96b6 · 2013-06-30T16:34:51.000-04:00
diff --git a/conf/hqt_config.yaml.example b/conf/hqt_config.yaml.example
@@ -45,6 +45,12 @@ jobs_dbm: "data/jobs.db"
 # directory from which to load templates
 hql_template_dir: "hql_templates/"
 
+# the backend can use sudo to run hive as the users logged into the front-end,
+# if the OS is configured to auth against LDAP/NIS and sudo is configured as
+# per the instructions in the HQT docs.
+# NOTE: if frontend_auth is "none" this should almost always be set to "yes".
+backend_use_sudo: "yes"
+
 # what method of authentication to use. Set to "none" or
 # comment-out to disable user-authentication.
 frontend_auth: "ldap"
diff --git a/lib/App/HiveQueryTool/HiveCLI.pm b/lib/App/HiveQueryTool/HiveCLI.pm
@@ -29,7 +29,7 @@ use Hash::Merge::Simple qw(merge);
 use Moo;
 
 has hive_path => ( is => 'ro', default => sub { __which_or_die('hive') } );
-has user => ( is => 'ro' );
+has user => ( is => 'ro', required => 0 );
 has conf => ( is => 'ro', default => sub { +{} } );
 has env  => ( is => 'ro', default => sub { +{} } );
 
diff --git a/script/hivecli-server.pl b/script/hivecli-server.pl
@@ -91,6 +91,8 @@
 # the given configuration and HQL.
 my $RUNNER = HiveCLI->new();
 
+use constant TRUE_VALUES  => [ qw( 1 true  yes on  ) ];
+use constant FALSE_VALUES => [ qw( 0 false no  off ), '', undef ];
 
 # this is a stupid-simple web server running on AnyEvent. I chose it because
 # it needs to play nice with Hadoop::HiveCLI which also uses AnyEvent.
@@ -116,12 +118,6 @@
       return $req->respond( res_json_xx(400, 'query_id parameter required', {} ) );
     };
 
-    my $user_name = $req->parm('user_name') // do {
-      return $req->respond( res_json_xx(400, 'user_name parameter required', {} ) );
-    };
-    # set the user to run the hive command as
-    $hive_opts{user} = $user_name;
-
     my $template_name = $req->parm('template_name') // do {
       return $req->respond( res_json_xx(400, 'template_name parameter required', {} ) );
     };
@@ -130,8 +126,14 @@
       return $req->respond( res_json_xx(400, 'hql parameter required', {} ) );
     };
 
+    # set the user to run the hive command as
+    my $user_name = $hive_opts{user} = $req->parm('user_name') || $ENV{USER};
+
     # get the queue permissions of the user
-    my @queue_perms = capturex(qw(sudo -E -u), $user_name, which('hadoop'), qw(queue -showacls));
+    my @queue_perm_cmd = ( which('hadoop'), qw(queue -showacls) );
+    unshift @queue_perm_cmd, ( qw(sudo -E -u), $user_name )
+      if is_truthy( $CFG->{backend_use_sudo} );
+    my @queue_perms = capturex( @queue_perm_cmd );
 
     # set the queue if the user specified one
     if ( my $queue = $req->parm('queue') ) {
@@ -153,7 +155,6 @@
       if ( ! grep { /^\Q$queue\E\s+.*submit-job/ } @queue_perms ) {
         warn join " ",
           "User [$user_name] does not have permission to submit jobs in queue [$queue]",
-          #"which is set in the query. Running job as user [$ENV{USER}] until this is resolved.\n";
           "which is set in the query. Attempting to remove this line from the query...\n";
         #$hive_opts{user} = $ENV{USER};
         #last;
