You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2016/04/06 20:59:45 UTC
hive git commit: Revert "HIVE-13401:Kerberized HS2 with LDAP auth
enabled fails kerberos/delegation token authentication (Chaoyu Tang,
reviewed by Szehon Ho)"
Repository: hive
Updated Branches:
refs/heads/branch-2.0 9550d436a -> b2b61da4e
Revert "HIVE-13401:Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)"
This reverts commit 9550d436a734f310980d53db058eeb492654f601.
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/b2b61da4
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/b2b61da4
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/b2b61da4
Branch: refs/heads/branch-2.0
Commit: b2b61da4e380aa4c63f49ef5ddd4f885ef366191
Parents: 9550d43
Author: Sergey Shelukhin <se...@apache.org>
Authored: Wed Apr 6 11:59:15 2016 -0700
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Wed Apr 6 11:59:15 2016 -0700
----------------------------------------------------------------------
.../org/apache/hive/minikdc/MiniHiveKdc.java | 52 ++------------------
.../hive/minikdc/TestJdbcWithMiniKdc.java | 12 ++---
.../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 15 ++----
.../hive/llap/security/SecretManager.java | 18 +------
.../hive/service/auth/HiveAuthFactory.java | 15 +++---
.../service/cli/thrift/ThriftCLIService.java | 15 ++++--
6 files changed, 32 insertions(+), 95 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
index 6b47480..dedbf35 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
@@ -50,7 +50,6 @@ public class MiniHiveKdc {
public static String HIVE_TEST_USER_1 = "user1";
public static String HIVE_TEST_USER_2 = "user2";
public static String HIVE_TEST_SUPER_USER = "superuser";
- public static String AUTHENTICATION_TYPE = "KERBEROS";
private final MiniKdc miniKdc;
private final File workDir;
@@ -171,57 +170,14 @@ public class MiniHiveKdc {
* @throws Exception
*/
public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
- return getMiniHS2WithKerb(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
- }
-
- /**
- * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
- * @param miniHiveKdc
- * @param hiveConf
- * @param authType
- * @return new MiniHS2 instance
- * @throws Exception
- */
- public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
- String authType) throws Exception {
- String hivePrincipal =
- miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
- String hiveKeytab = miniHiveKdc.getKeyTabFile(
- miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
-
- return new MiniHS2.Builder().withConf(hiveConf).withMiniKdc(hivePrincipal, hiveKeytab).
- withAuthenticationType(authType).build();
- }
-
- /**
- * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
- * @param miniHiveKdc
- * @param hiveConf
- * @return new MiniHS2 instance
- * @throws Exception
- */
- public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
- return getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
- }
-
- /**
- * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc. It uses remote HMS
- * and can support a different Sasl authType
- * @param miniHiveKdc
- * @param hiveConf
- * @param authType
- * @return new MiniHS2 instance
- * @throws Exception
- */
- public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
- String authType) throws Exception {
String hivePrincipal =
miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
String hiveKeytab = miniHiveKdc.getKeyTabFile(
miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
- return new MiniHS2.Builder().withConf(hiveConf).withRemoteMetastore().
- withMiniKdc(hivePrincipal, hiveKeytab).withAuthenticationType(authType).build();
+ return new MiniHS2.Builder().withConf(hiveConf).
+ withMiniKdc(hivePrincipal, hiveKeytab).build();
}
-}
+
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
index 71a08fb..3ef2ce3 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
@@ -57,10 +57,10 @@ public class TestJdbcWithMiniKdc {
}
}
- protected static MiniHS2 miniHS2 = null;
- protected static MiniHiveKdc miniHiveKdc = null;
- protected static Map<String, String> confOverlay = new HashMap<String, String>();
- protected Connection hs2Conn;
+ private static MiniHS2 miniHS2 = null;
+ private static MiniHiveKdc miniHiveKdc = null;
+ private static Map<String, String> confOverlay = new HashMap<String, String>();
+ private Connection hs2Conn;
@BeforeClass
public static void beforeTest() throws Exception {
@@ -241,7 +241,7 @@ public class TestJdbcWithMiniKdc {
* @param expectedValue
* @throws Exception
*/
- protected void verifyProperty(String propertyName, String expectedValue) throws Exception {
+ private void verifyProperty(String propertyName, String expectedValue) throws Exception {
Statement stmt = hs2Conn .createStatement();
ResultSet res = stmt.executeQuery("set " + propertyName);
assertTrue(res.next());
@@ -251,7 +251,7 @@ public class TestJdbcWithMiniKdc {
}
// Store the given token in the UGI
- protected void storeToken(String tokenStr, UserGroupInformation ugi)
+ private void storeToken(String tokenStr, UserGroupInformation ugi)
throws Exception {
Utils.setTokenStr(ugi,
tokenStr, HiveAuthFactory.HS2_CLIENT_TOKEN);
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
index 8b0f9d4..488ba93 100644
--- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
+++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
@@ -79,8 +79,6 @@ public class MiniHS2 extends AbstractHiveService {
private String serverKeytab;
private boolean isHTTPTransMode = false;
private boolean isMetastoreRemote;
- private boolean usePortsFromConf = false;
- private String authType = "KERBEROS";
public Builder() {
}
@@ -97,11 +95,6 @@ public class MiniHS2 extends AbstractHiveService {
return this;
}
- public Builder withAuthenticationType(String authType) {
- this.authType = authType;
- return this;
- }
-
public Builder withRemoteMetastore() {
this.isMetastoreRemote = true;
return this;
@@ -132,7 +125,7 @@ public class MiniHS2 extends AbstractHiveService {
hiveConf.setVar(ConfVars.HIVE_SERVER2_TRANSPORT_MODE, HS2_BINARY_MODE);
}
return new MiniHS2(hiveConf, miniClusterType, useMiniKdc, serverPrincipal, serverKeytab,
- isMetastoreRemote, authType);
+ isMetastoreRemote);
}
}
@@ -169,7 +162,7 @@ public class MiniHS2 extends AbstractHiveService {
}
private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useMiniKdc,
- String serverPrincipal, String serverKeytab, boolean isMetastoreRemote, String authType) throws Exception {
+ String serverPrincipal, String serverKeytab, boolean isMetastoreRemote) throws Exception {
super(hiveConf, "localhost", MetaStoreUtils.findFreePort(), MetaStoreUtils.findFreePort());
this.miniClusterType = miniClusterType;
this.useMiniKdc = useMiniKdc;
@@ -207,7 +200,7 @@ public class MiniHS2 extends AbstractHiveService {
if (useMiniKdc) {
hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL, serverPrincipal);
hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB, serverKeytab);
- hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, authType);
+ hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "KERBEROS");
}
String metaStoreURL = "jdbc:derby:" + baseDir.getAbsolutePath() + File.separator + "test_metastore-" +
hs2Counter.incrementAndGet() + ";create=true";
@@ -243,7 +236,7 @@ public class MiniHS2 extends AbstractHiveService {
}
public MiniHS2(HiveConf hiveConf, MiniClusterType clusterType) throws Exception {
- this(hiveConf, clusterType, false, null, null, false, "KERBEROS");
+ this(hiveConf, clusterType, false, null, null, false);
}
public void start(Map<String, String> confOverlay) throws Exception {
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/llap-server/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java b/llap-server/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
index 8c7a539..bbdca7b 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
@@ -18,7 +18,6 @@ import java.io.DataInputStream;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.concurrent.TimeUnit;
-import java.util.regex.Pattern;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
@@ -82,14 +81,6 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent
return id;
}
- private final static Pattern hostsRe = Pattern.compile("[^A-Za-z0-9_-]");
- private static String deriveZkPath(Configuration conf) throws IOException {
- String hosts = HiveConf.getTrimmedVar(conf, ConfVars.LLAP_DAEMON_SERVICE_HOSTS);
- String clusterName = hosts.startsWith("@") ? hosts.substring(1) : hosts;
- String userName = UserGroupInformation.getCurrentUser().getShortUserName();
- return hostsRe.matcher(userName + "_" + clusterName).replaceAll("_") ;
- }
-
public static SecretManager createSecretManager(
final Configuration conf, String llapPrincipal, String llapKeytab) {
// Create ZK connection under a separate ugi (if specified) - ZK works in mysterious ways.
@@ -110,14 +101,7 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent
zkConf.setLong(DelegationTokenManager.RENEW_INTERVAL, tokenLifetime);
zkConf.set(SecretManager.ZK_DTSM_ZK_KERBEROS_PRINCIPAL, principal);
zkConf.set(SecretManager.ZK_DTSM_ZK_KERBEROS_KEYTAB, keyTab);
- String zkPath;
- try {
- zkPath = deriveZkPath(conf);
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- LOG.info("Using {} as ZK secret manager path", zkPath);
- zkConf.set(SecretManager.ZK_DTSM_ZNODE_WORKING_PATH, "zkdtsm_" + zkPath);
+ setZkConfIfNotSet(zkConf, SecretManager.ZK_DTSM_ZNODE_WORKING_PATH, "llapzkdtsm");
setZkConfIfNotSet(zkConf, SecretManager.ZK_DTSM_ZK_AUTH_TYPE, "sasl");
setZkConfIfNotSet(zkConf, SecretManager.ZK_DTSM_ZK_CONNECTION_STRING,
HiveConf.getVar(zkConf, ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING));
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index 062974d..0c7455d 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -102,7 +102,7 @@ public class HiveAuthFactory {
transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);
- // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that
+ // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that·
// hadoopAuth is not simple, it does not guarantee it is kerberos
hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");
@@ -114,7 +114,8 @@ public class HiveAuthFactory {
authTypeStr = AuthTypes.NONE.getAuthName();
}
}
- if (isSASLWithKerberizedHadoop()) {
+ if (hadoopAuth.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())
+ && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName())) {
saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(
conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
@@ -148,7 +149,8 @@ public class HiveAuthFactory {
TTransportFactory transportFactory;
TSaslServerTransport.Factory serverTransportFactory;
- if (isSASLWithKerberizedHadoop()) {
+ if (hadoopAuth.equalsIgnoreCase("kerberos") && !authTypeStr.equalsIgnoreCase(
+ AuthTypes.NOSASL.getAuthName())) {
try {
serverTransportFactory = saslServer.createSaslServerTransportFactory(
getSaslProperties());
@@ -192,7 +194,7 @@ public class HiveAuthFactory {
* @throws LoginException
*/
public TProcessorFactory getAuthProcFactory(ThriftCLIService service) throws LoginException {
- if (isSASLWithKerberizedHadoop()) {
+ if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) {
return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service);
} else {
return PlainSaslHelper.getPlainProcessorFactory(service);
@@ -211,11 +213,6 @@ public class HiveAuthFactory {
}
}
- public boolean isSASLWithKerberizedHadoop() {
- return "kerberos".equalsIgnoreCase(hadoopAuth)
- && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName());
- }
-
// Perform kerberos login using the hadoop shim API if the configuration is available
public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
http://git-wip-us.apache.org/repos/asf/hive/blob/b2b61da4/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
index e7651dd..8434965 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
@@ -342,10 +342,11 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
clientIpAddress = SessionManager.getIpAddress();
}
else {
- if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
+ // Kerberos
+ if (isKerberosAuthMode()) {
clientIpAddress = hiveAuthFactory.getIpAddress();
}
- // NOSASL
+ // Except kerberos, NOSASL
else {
clientIpAddress = TSetIpAddressProcessor.getUserIpAddress();
}
@@ -366,10 +367,11 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
*/
private String getUserName(TOpenSessionReq req) throws HiveSQLException {
String userName = null;
- if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
+ // Kerberos
+ if (isKerberosAuthMode()) {
userName = hiveAuthFactory.getRemoteUser();
}
- // NOSASL
+ // Except kerberos, NOSASL
if (userName == null) {
userName = TSetIpAddressProcessor.getUserName();
}
@@ -753,4 +755,9 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
LOG.debug("Verified proxy user: " + proxyUser);
return proxyUser;
}
+
+ private boolean isKerberosAuthMode() {
+ return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
+ .equalsIgnoreCase(HiveAuthFactory.AuthTypes.KERBEROS.toString());
+ }
}