You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2016/05/23 20:56:01 UTC
hive git commit: HIVE-13787 : LLAP: bug in recent security patches (wrong argument order; using full user name in id) (Sergey Shelukhin, reviewed by Siddharth Seth)

Repository: hive
Updated Branches:
  refs/heads/master a25be60e9 -> e2d07e277


HIVE-13787 : LLAP: bug in recent security patches (wrong argument order; using full user name in id) (Sergey Shelukhin, reviewed by Siddharth Seth)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/e2d07e27
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/e2d07e27
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/e2d07e27

Branch: refs/heads/master
Commit: e2d07e2775b2befea56d70fc3908e7670c79d08b
Parents: a25be60
Author: Sergey Shelukhin <se...@apache.org>
Authored: Mon May 23 13:52:10 2016 -0700
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Mon May 23 13:52:10 2016 -0700

----------------------------------------------------------------------
 .../hadoop/hive/llap/security/LlapTokenIdentifier.java | 13 +++++++++----
 .../hadoop/hive/llap/daemon/impl/LlapDaemon.java       |  2 +-
 .../hadoop/hive/llap/daemon/impl/LlapTokenChecker.java |  8 +++++---
 .../hadoop/hive/llap/daemon/impl/QueryTracker.java     | 13 +++++++++----
 .../hive/llap/daemon/impl/TaskExecutorTestHelpers.java |  2 +-
 5 files changed, 25 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/e2d07e27/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapTokenIdentifier.java
----------------------------------------------------------------------
diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapTokenIdentifier.java b/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapTokenIdentifier.java
index e28eddd..7c47f0b 100644
--- a/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapTokenIdentifier.java
+++ b/llap-common/src/java/org/apache/hadoop/hive/llap/security/LlapTokenIdentifier.java
@@ -28,6 +28,8 @@ import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
 
+import com.google.common.base.Preconditions;
+
 /** For now, a LLAP token gives access to any LLAP server. */
 public class LlapTokenIdentifier extends AbstractDelegationTokenIdentifier {
   private static final String KIND = "LLAP_TOKEN";
@@ -42,6 +44,7 @@ public class LlapTokenIdentifier extends AbstractDelegationTokenIdentifier {
   public LlapTokenIdentifier(Text owner, Text renewer, Text realUser,
       String clusterId, String appId) {
     super(owner, renewer, realUser);
+    Preconditions.checkNotNull(clusterId);
     this.clusterId = clusterId;
     this.appId = appId == null ? "" : appId;
   }
@@ -57,7 +60,9 @@ public class LlapTokenIdentifier extends AbstractDelegationTokenIdentifier {
   public void readFields(DataInput in) throws IOException {
     super.readFields(in);
     clusterId = in.readUTF();
+    Preconditions.checkNotNull(clusterId);
     appId = in.readUTF();
+    appId = appId == null ? "" : appId;
   }
 
   @Override
@@ -76,7 +81,7 @@ public class LlapTokenIdentifier extends AbstractDelegationTokenIdentifier {
   @Override
   public int hashCode() {
     final int prime = 31;
-    int result = prime * super.hashCode() + ((appId == null) ? 0 : appId.hashCode());
+    int result = prime * super.hashCode() + (StringUtils.isBlank(appId) ? 0 : appId.hashCode());
     return prime * result + ((clusterId == null) ? 0 : clusterId.hashCode());
   }
 
@@ -85,14 +90,14 @@ public class LlapTokenIdentifier extends AbstractDelegationTokenIdentifier {
     if (this == obj) return true;
     if (!(obj instanceof LlapTokenIdentifier) || !super.equals(obj)) return false;
     LlapTokenIdentifier other = (LlapTokenIdentifier) obj;
-    return (appId == null ? other.appId == null : appId.equals(other.appId))
+    return (StringUtils.isBlank(appId)
+        ? StringUtils.isBlank(other.appId) : appId.equals(other.appId))
         && (clusterId == null ? other.clusterId == null : clusterId.equals(other.clusterId));
   }
 
   @Override
   public String toString() {
-    return KIND + "; " + super.toString() + ", cluster " + clusterId + ", app secret hash "
-        + (StringUtils.isBlank(appId) ? 0 : appId.hashCode());
+    return KIND + "; " + super.toString() + ", cluster " + clusterId + ", app ID " + appId;
   }
 
   @InterfaceAudience.Private

http://git-wip-us.apache.org/repos/asf/hive/blob/e2d07e27/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
index de817e3..5ab7b3c 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
@@ -143,7 +143,7 @@ public class LlapDaemon extends CompositeService implements ContainerRunner, Lla
     }
     String hostName = MetricsUtils.getHostName();
     try {
-      daemonId = new DaemonId(UserGroupInformation.getCurrentUser().getUserName(),
+      daemonId = new DaemonId(UserGroupInformation.getCurrentUser().getShortUserName(),
           LlapUtil.generateClusterName(daemonConf), hostName, appName, System.currentTimeMillis());
     } catch (IOException ex) {
       throw new RuntimeException(ex);

http://git-wip-us.apache.org/repos/asf/hive/blob/e2d07e27/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.java
index 03ee055..04df929 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.java
@@ -14,6 +14,7 @@
 package org.apache.hadoop.hive.llap.daemon.impl;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
 
 import java.util.ArrayList;
 
@@ -95,6 +96,7 @@ public final class LlapTokenChecker {
   public static void checkPermissions(
       String clusterId, String userName, String appId, Object hint) throws IOException {
     if (!UserGroupInformation.isSecurityEnabled()) return;
+    Preconditions.checkNotNull(userName);
     UserGroupInformation current = UserGroupInformation.getCurrentUser();
     String kerberosName = current.hasKerberosCredentials() ? current.getShortUserName() : null;
     List<LlapTokenIdentifier> tokens = getLlapTokens(current, clusterId);
@@ -104,7 +106,7 @@ public final class LlapTokenChecker {
   @VisibleForTesting
   static void checkPermissionsInternal(String kerberosName, List<LlapTokenIdentifier> tokens,
       String userName, String appId, Object hint) {
-    if (kerberosName != null && StringUtils.isEmpty(appId) && kerberosName.equals(userName)) {
+    if (kerberosName != null && StringUtils.isBlank(appId) && kerberosName.equals(userName)) {
       return;
     }
     if (tokens != null) {
@@ -132,6 +134,6 @@ public final class LlapTokenChecker {
   private static boolean checkTokenPermissions(
       String userName, String appId, String tokenUser, String tokenAppId) {
     return userName.equals(tokenUser)
-        && (StringUtils.isEmpty(appId) || appId.equals(tokenAppId));
+        && (StringUtils.isBlank(appId) || appId.equals(tokenAppId));
   }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/hive/blob/e2d07e27/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/QueryTracker.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/QueryTracker.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/QueryTracker.java
index 8abd198..c55436b 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/QueryTracker.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/QueryTracker.java
@@ -14,6 +14,7 @@
 
 package org.apache.hadoop.hive.llap.daemon.impl;
 
+import com.google.common.base.Preconditions;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
@@ -21,6 +22,7 @@ import java.util.concurrent.TimeUnit;
 
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.tez.common.CallableWithNdc;
 
@@ -134,9 +136,12 @@ public class QueryTracker extends AbstractService {
       boolean isExistingQueryInfo = true;
       QueryInfo queryInfo = queryInfoMap.get(queryIdentifier);
       if (queryInfo == null) {
+        String tokenUser = tokenInfo.getLeft(), tokenAppId = tokenInfo.getRight();
+        if (UserGroupInformation.isSecurityEnabled()) {
+          Preconditions.checkNotNull(tokenUser);
+        }
         queryInfo = new QueryInfo(queryIdentifier, appIdString, dagName, dagIdentifier, user,
-            getSourceCompletionMap(queryIdentifier), localDirsBase, localFs,
-            tokenInfo.getLeft(), tokenInfo.getRight());
+           getSourceCompletionMap(queryIdentifier), localDirsBase, localFs, tokenUser, tokenAppId);
         QueryInfo old = queryInfoMap.putIfAbsent(queryIdentifier, queryInfo);
         if (old != null) {
           queryInfo = old;
@@ -341,8 +346,8 @@ public class QueryTracker extends AbstractService {
   private QueryInfo checkPermissionsAndGetQuery(QueryIdentifier queryId) throws IOException {
     QueryInfo queryInfo = queryInfoMap.get(queryId);
     if (queryInfo == null) return null;
-    LlapTokenChecker.checkPermissions(clusterId, queryInfo.getTokenAppId(),
-        queryInfo.getTokenUserName(), queryInfo.getQueryIdentifier());
+    LlapTokenChecker.checkPermissions(clusterId, queryInfo.getTokenUserName(),
+        queryInfo.getTokenAppId(), queryInfo.getQueryIdentifier());
     return queryInfo;
   }
 

http://git-wip-us.apache.org/repos/asf/hive/blob/e2d07e27/llap-server/src/test/org/apache/hadoop/hive/llap/daemon/impl/TaskExecutorTestHelpers.java
----------------------------------------------------------------------
diff --git a/llap-server/src/test/org/apache/hadoop/hive/llap/daemon/impl/TaskExecutorTestHelpers.java b/llap-server/src/test/org/apache/hadoop/hive/llap/daemon/impl/TaskExecutorTestHelpers.java
index 279baf1..e0f0676 100644
--- a/llap-server/src/test/org/apache/hadoop/hive/llap/daemon/impl/TaskExecutorTestHelpers.java
+++ b/llap-server/src/test/org/apache/hadoop/hive/llap/daemon/impl/TaskExecutorTestHelpers.java
@@ -79,7 +79,7 @@ public class TaskExecutorTestHelpers {
     QueryInfo queryInfo =
         new QueryInfo(queryIdentifier, "fake_app_id_string", "fake_dag_name", 1, "fakeUser",
             new ConcurrentHashMap<String, LlapDaemonProtocolProtos.SourceStateProto>(),
-            new String[0], null, null, null);
+            new String[0], null, "fakeUser", null);
     return queryInfo;
   }