You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by vg...@apache.org on 2014/10/20 08:55:30 UTC
svn commit: r1633060 - in /hive/trunk:
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
Author: vgumashta
Date: Mon Oct 20 06:55:30 2014
New Revision: 1633060
URL: http://svn.apache.org/r1633060
Log:
HIVE-8377: Enable Kerberized SSL for HiveServer2 in http mode (Vaibhav Gumashta reviewed by Thejas Nair)
Modified:
hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
Modified: hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
URL: http://svn.apache.org/viewvc/hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java?rev=1633060&r1=1633059&r2=1633060&view=diff
==============================================================================
--- hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (original)
+++ hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java Mon Oct 20 06:55:30 2014
@@ -258,15 +258,12 @@ public class HiveConnection implements j
HttpRequestInterceptor requestInterceptor;
// If Kerberos
if (isKerberosAuthMode()) {
- if (useSsl) {
- String msg = "SSL encryption is currently not supported with " +
- "kerberos authentication";
- throw new SQLException(msg, " 08S01");
- }
/**
* Add an interceptor which sets the appropriate header in the request.
* It does the kerberos authentication and get the final service ticket,
* for sending to the server before every request.
+ * In https mode, the entire information is encrypted
+ * TODO: Optimize this with a mix of kerberos + using cookie.
*/
requestInterceptor = new HttpKerberosRequestInterceptor(
sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, getServerHttpUrl(false));
@@ -277,46 +274,46 @@ public class HiveConnection implements j
* In https mode, the entire information is encrypted
*/
requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword());
- // Configure httpClient for SSL
- if (useSsl) {
- String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String sslTrustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
- KeyStore sslTrustStore;
- SSLSocketFactory socketFactory;
- /**
- * The code within the try block throws:
- * 1. SSLInitializationException
- * 2. KeyStoreException
- * 3. IOException
- * 4. NoSuchAlgorithmException
- * 5. CertificateException
- * 6. KeyManagementException
- * 7. UnrecoverableKeyException
- * We don't want the client to retry on any of these, hence we catch all
- * and throw a SQLException.
- */
- try {
- if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
- // Create a default socket factory based on standard JSSE trust material
- socketFactory = SSLSocketFactory.getSocketFactory();
- }
- else {
- // Pick trust store config from the given path
- sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
- sslTrustStore.load(new FileInputStream(sslTrustStorePath),
- sslTrustStorePassword.toCharArray());
- socketFactory = new SSLSocketFactory(sslTrustStore);
- }
- socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
- Scheme sslScheme = new Scheme("https", 443, socketFactory);
- httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme);
+ }
+ // Configure httpClient for SSL
+ if (useSsl) {
+ String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
+ String sslTrustStorePassword = sessConfMap.get(
+ JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+ KeyStore sslTrustStore;
+ SSLSocketFactory socketFactory;
+ /**
+ * The code within the try block throws:
+ * 1. SSLInitializationException
+ * 2. KeyStoreException
+ * 3. IOException
+ * 4. NoSuchAlgorithmException
+ * 5. CertificateException
+ * 6. KeyManagementException
+ * 7. UnrecoverableKeyException
+ * We don't want the client to retry on any of these, hence we catch all
+ * and throw a SQLException.
+ */
+ try {
+ if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
+ // Create a default socket factory based on standard JSSE trust material
+ socketFactory = SSLSocketFactory.getSocketFactory();
}
- catch (Exception e) {
- String msg = "Could not create an https connection to " +
- jdbcUriString + ". " + e.getMessage();
- throw new SQLException(msg, " 08S01", e);
+ else {
+ // Pick trust store config from the given path
+ sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
+ sslTrustStore.load(new FileInputStream(sslTrustStorePath),
+ sslTrustStorePassword.toCharArray());
+ socketFactory = new SSLSocketFactory(sslTrustStore);
}
+ socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+ Scheme sslScheme = new Scheme("https", 443, socketFactory);
+ httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme);
+ }
+ catch (Exception e) {
+ String msg = "Could not create an https connection to " +
+ jdbcUriString + ". " + e.getMessage();
+ throw new SQLException(msg, " 08S01", e);
}
}
httpClient.addRequestInterceptor(requestInterceptor);
Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java?rev=1633060&r1=1633059&r2=1633060&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java Mon Oct 20 06:55:30 2014
@@ -29,12 +29,10 @@ import org.apache.hadoop.hive.shims.Shim
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.Shell;
import org.apache.hive.service.auth.HiveAuthFactory;
-import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes;
import org.apache.hive.service.cli.CLIService;
import org.apache.hive.service.cli.thrift.TCLIService.Iface;
import org.apache.hive.service.server.ThreadFactoryWithGarbageCleanup;
import org.apache.thrift.TProcessor;
-import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.protocol.TProtocolFactory;
import org.apache.thrift.server.TServlet;
@@ -60,9 +58,6 @@ public class ThriftHttpCLIService extend
@Override
public void run() {
try {
- // Verify config validity
- verifyHttpConfiguration(hiveConf);
-
// HTTP Server
httpServer = new org.eclipse.jetty.server.Server();
@@ -162,32 +157,4 @@ public class ThriftHttpCLIService extend
}
return httpPath;
}
-
- /**
- * Verify that this configuration is supported by transportMode of HTTP
- * @param hiveConf
- */
- private static void verifyHttpConfiguration(HiveConf hiveConf) {
- String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION);
-
- // Error out if KERBEROS auth mode is being used and use SSL is also set to true
- if(authType.equalsIgnoreCase(AuthTypes.KERBEROS.toString()) &&
- hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL)) {
- String msg = ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting of " +
- authType + " is not supported with " +
- ConfVars.HIVE_SERVER2_USE_SSL + " set to true";
- LOG.fatal(msg);
- throw new RuntimeException(msg);
- }
-
- // Warn that SASL is not used in http mode
- if(authType.equalsIgnoreCase(AuthTypes.NONE.toString())) {
- // NONE in case of thrift mode uses SASL
- LOG.warn(ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting to " +
- authType + ". SASL is not supported with http transport mode," +
- " so using equivalent of "
- + AuthTypes.NOSASL);
- }
- }
-
}