You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/03/10 07:36:09 UTC
svn commit: r1575842 - in /hive/trunk:
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java
service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java
Author: thejas
Date: Mon Mar 10 06:36:09 2014
New Revision: 1575842
URL: http://svn.apache.org/r1575842
Log:
HIVE-6486 : Support secure Subject.doAs() in HiveServer2 JDBC client. (Shivaraju Gowda via Thejas Nair)
Added:
hive/trunk/service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java
Modified:
hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
hive/trunk/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java
Modified: hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
URL: http://svn.apache.org/viewvc/hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java?rev=1575842&r1=1575841&r2=1575842&view=diff
==============================================================================
--- hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (original)
+++ hive/trunk/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java Mon Mar 10 06:36:09 2014
@@ -88,6 +88,8 @@ public class HiveConnection implements j
private static final String HIVE_AUTH_USER = "user";
private static final String HIVE_AUTH_PRINCIPAL = "principal";
private static final String HIVE_AUTH_PASSWD = "password";
+ private static final String HIVE_AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType";
+ private static final String HIVE_AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject";
private static final String HIVE_ANONYMOUS_USER = "anonymous";
private static final String HIVE_ANONYMOUS_PASSWD = "anonymous";
private static final String HIVE_USE_SSL = "ssl";
@@ -277,9 +279,10 @@ public class HiveConnection implements j
}
saslProps.put(Sasl.QOP, saslQOP.toString());
saslProps.put(Sasl.SERVER_AUTH, "true");
+ boolean assumeSubject = HIVE_AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT.equals(sessConfMap.get(HIVE_AUTH_KERBEROS_AUTH_TYPE));
transport = KerberosSaslHelper.getKerberosTransport(
sessConfMap.get(HIVE_AUTH_PRINCIPAL), host,
- HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps);
+ HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps, assumeSubject);
} else {
String userName = sessConfMap.get(HIVE_AUTH_USER);
if ((userName == null) || userName.isEmpty()) {
Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java?rev=1575842&r1=1575841&r2=1575842&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java Mon Mar 10 06:36:09 2014
@@ -30,6 +30,7 @@ import org.apache.hive.service.cli.thrif
import org.apache.hive.service.cli.thrift.ThriftCLIService;
import org.apache.thrift.TProcessor;
import org.apache.thrift.TProcessorFactory;
+import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TTransport;
public class KerberosSaslHelper {
@@ -57,7 +58,7 @@ public class KerberosSaslHelper {
}
public static TTransport getKerberosTransport(String principal, String host,
- final TTransport underlyingTransport, Map<String, String> saslProps) throws SaslException {
+ final TTransport underlyingTransport, Map<String, String> saslProps, boolean assumeSubject) throws SaslException {
try {
final String names[] = principal.split("[/@]");
if (names.length != 3) {
@@ -65,14 +66,29 @@ public class KerberosSaslHelper {
+ principal);
}
- HadoopThriftAuthBridge.Client authBridge =
- ShimLoader.getHadoopThriftAuthBridge().createClientWithConf("kerberos");
- return authBridge.createClientTransport(principal, host,
+ if (assumeSubject) {
+ return createSubjectAssumedTransport(principal, underlyingTransport, saslProps);
+ } else {
+ HadoopThriftAuthBridge.Client authBridge =
+ ShimLoader.getHadoopThriftAuthBridge().createClientWithConf("kerberos");
+ return authBridge.createClientTransport(principal, host,
"KERBEROS", null, underlyingTransport, saslProps);
+ }
} catch (IOException e) {
throw new SaslException("Failed to open client transport", e);
}
}
+ public static TTransport createSubjectAssumedTransport(String principal,
+ TTransport underlyingTransport, Map<String, String> saslProps) throws IOException {
+ TTransport saslTransport = null;
+ final String names[] = principal.split("[/@]");
+ try {
+ saslTransport = new TSaslClientTransport("GSSAPI", null, names[0], names[1], saslProps, null, underlyingTransport);
+ return new TSubjectAssumingTransport(saslTransport);
+ } catch (SaslException se) {
+ throw new IOException("Could not instantiate SASL transport", se);
+ }
+ }
}
Added: hive/trunk/service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java?rev=1575842&view=auto
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java (added)
+++ hive/trunk/service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java Mon Mar 10 06:36:09 2014
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service.auth;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.hive.thrift.TFilterTransport;
+import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
+
+/**
+ *
+ * This is used on the client side, where the API explicitly opens a transport to
+ * the server using the Subject.doAs()
+ */
+ public class TSubjectAssumingTransport extends TFilterTransport {
+
+ public TSubjectAssumingTransport(TTransport wrapped) {
+ super(wrapped);
+ }
+
+ @Override
+ public void open() throws TTransportException {
+ try {
+ AccessControlContext context = AccessController.getContext();
+ Subject subject = Subject.getSubject(context);
+ Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
+ public Void run() {
+ try {
+ wrapped.open();
+ } catch (TTransportException tte) {
+ // Wrap the transport exception in an RTE, since Subject.doAs() then goes
+ // and unwraps this for us out of the doAs block. We then unwrap one
+ // more time in our catch clause to get back the TTE. (ugh)
+ throw new RuntimeException(tte);
+ }
+ return null;
+ }
+ });
+ } catch (PrivilegedActionException ioe) {
+ throw new RuntimeException("Received an ioe we never threw!", ioe);
+ } catch (RuntimeException rte) {
+ if (rte.getCause() instanceof TTransportException) {
+ throw (TTransportException)rte.getCause();
+ } else {
+ throw rte;
+ }
+ }
+ }
+
+ }