You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2020/02/21 02:13:56 UTC
[GitHub] [spark] AngersZhuuuu commented on a change in pull request #25201: [SPARK-28419][SQL] Enable SparkThriftServer support proxy user's authentication .

AngersZhuuuu commented on a change in pull request #25201: [SPARK-28419][SQL] Enable SparkThriftServer support proxy user's authentication .
URL: https://github.com/apache/spark/pull/25201#discussion_r382363159
 
 

 ##########
 File path: sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLSessionManager.scala
 ##########
 @@ -51,17 +59,81 @@ private[hive] class SparkSQLSessionManager(hiveServer: HiveServer2, sqlContext:
       sessionConf: java.util.Map[String, String],
       withImpersonation: Boolean,
       delegationToken: String): SessionHandle = {
-    val sessionHandle =
-      super.openSession(protocol, username, passwd, ipAddress, sessionConf, withImpersonation,
+    var session: HiveSession = null
+    var sessionUGI: UserGroupInformation = null
+    if (withImpersonation) {
+      val sessionWithUGI =
+        new HiveSessionImplwithUGI(
+          protocol,
+          username,
+          passwd,
+          hiveConf,
+          ipAddress,
           delegationToken)
-    val session = super.getSession(sessionHandle)
-    HiveThriftServer2.listener.onSessionCreated(
-      session.getIpAddress, sessionHandle.getSessionId.toString, session.getUsername)
-    val ctx = if (sqlContext.conf.hiveThriftServerSingleSession) {
-      sqlContext
+      if (UserGroupInformation.isSecurityEnabled) {
+        try {
+          val ugi = sessionWithUGI.getSessionUgi
+          val originalCreds = ugi.getCredentials
+          val creds = new Credentials()
+          ThriftServerHadoopUtils.doAs(ugi)(() => hadoopTokenProvider
+            .obtainDelegationTokens(creds, username))
+
+          val tokens: String = creds.getAllTokens.asScala.map(token => {
+            token.encodeToUrlString()
+          }).mkString(SparkContext.SPARK_JOB_TOKEN_DELIMiTER)
+
+          ugi.addCredentials(creds)
+          val existing = ugi.getCredentials()
+          existing.mergeAll(originalCreds)
+          ugi.addCredentials(existing)
+          sparkSqlOperationManager.sessionToTokens.put(session.getSessionHandle, tokens)
 
 Review comment:
   > Hi @AngersZhuuuu, while applying your patch I found a bug here, `session.getSessionHandle` will have an exception because `session` is `null`.
   > 
   > Then I moved `session = HiveSessionProxy.getProxy(sessionWithUGI, sessionWithUGI.getSessionUgi)` to before the if statement will solve this issue.
   
   yea， some mistake, here is just a way to implement this. If you have interesting in this way , you can see this 
   https://github.com/spark-thriftserver/spark-thriftserver/pull/53

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org