You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/04/09 21:53:54 UTC

svn commit: r1586109 - in /hive/branches/branch-0.13/service/src/java/org/apache/hive/service: auth/HiveAuthFactory.java cli/thrift/ThriftCLIService.java cli/thrift/ThriftHttpServlet.java

Author: thejas
Date: Wed Apr  9 19:53:54 2014
New Revision: 1586109

URL: http://svn.apache.org/r1586109
Log:
HIVE-6837 : HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client (Vaibhav Gumashta via Thejas Nair)

Modified:
    hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
    hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java

Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java Wed Apr  9 19:53:54 2014
@@ -172,7 +172,11 @@ public class HiveAuthFactory {
   }
 
   public String getIpAddress() {
-    return saslServer != null ? saslServer.getRemoteAddress().toString() : null;
+    if (saslServer != null && saslServer.getRemoteAddress() != null) {
+      return saslServer.getRemoteAddress().getHostAddress();
+    } else {
+      return null;
+    }
   }
 
   // Perform kerberos login using the hadoop shim API if the configuration is available

Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Wed Apr  9 19:53:54 2014
@@ -201,16 +201,31 @@ public abstract class ThriftCLIService e
   }
 
   private String getIpAddress() {
-    if (hiveAuthFactory != null) {
-      return hiveAuthFactory.getIpAddress();
+    String clientIpAddress;
+    // Http transport mode.
+    // We set the thread local ip address, in ThriftHttpServlet.
+    if (cliService.getHiveConf().getVar(
+        ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) {
+      clientIpAddress = SessionManager.getIpAddress();
     }
-    return TSetIpAddressProcessor.getUserIpAddress();
+    else {
+      // Kerberos
+      if (isKerberosAuthMode()) {
+        clientIpAddress = hiveAuthFactory.getIpAddress();
+      }
+      // Except kerberos, NOSASL
+      else {
+        clientIpAddress = TSetIpAddressProcessor.getUserIpAddress();
+      }
+    }
+    LOG.debug("Client's IP Address: " + clientIpAddress);
+    return clientIpAddress;
   }
 
   private String getUserName(TOpenSessionReq req) throws HiveSQLException {
     String userName = null;
     // Kerberos
-    if (hiveAuthFactory != null) {
+    if (isKerberosAuthMode()) {
       userName = hiveAuthFactory.getRemoteUser();
     }
     // Except kerberos, NOSASL
@@ -539,9 +554,14 @@ public abstract class ThriftCLIService e
    */
   private String getProxyUser(String realUser, Map<String, String> sessionConf,
       String ipAddress) throws HiveSQLException {
-
-    String proxyUser = SessionManager.getProxyUserName();
-    LOG.debug("Proxy user from query string: " + proxyUser);
+    String proxyUser = null;
+    // Http transport mode.
+    // We set the thread local proxy username, in ThriftHttpServlet.
+    if (cliService.getHiveConf().getVar(
+        ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) {
+      proxyUser = SessionManager.getProxyUserName();
+      LOG.debug("Proxy user from query string: " + proxyUser);
+    }
 
     if (proxyUser == null && sessionConf != null && sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) {
       String proxyUserFromThriftBody = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER);
@@ -570,5 +590,10 @@ public abstract class ThriftCLIService e
     return proxyUser;
   }
 
+  private boolean isKerberosAuthMode() {
+    return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
+        .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString());
+  }
+
 }
 

Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java Wed Apr  9 19:53:54 2014
@@ -20,7 +20,6 @@ package org.apache.hive.service.cli.thri
 
 import java.io.IOException;
 import java.security.PrivilegedExceptionAction;
-
 import java.util.Map;
 import java.util.Set;
 
@@ -75,6 +74,7 @@ public class ThriftHttpServlet extends T
   protected void doPost(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException {
     String clientUserName;
+    String clientIpAddress;
     try {
       // For a kerberos setup
       if(isKerberosAuthMode(authType)) {
@@ -83,16 +83,19 @@ public class ThriftHttpServlet extends T
         if (doAsQueryParam != null) {
           SessionManager.setProxyUserName(doAsQueryParam);
         }
-
       }
       else {
         clientUserName = doPasswdAuth(request, authType);
       }
-
-      LOG.info("Client username: " + clientUserName);
-
+      LOG.debug("Client username: " + clientUserName);
       // Set the thread local username to be used for doAs if true
       SessionManager.setUserName(clientUserName);
+
+      clientIpAddress = request.getRemoteAddr();
+      LOG.debug("Client IP Address: " + clientIpAddress);
+      // Set the thread local ip address
+      SessionManager.setIpAddress(clientIpAddress);
+
       super.doPost(request, response);
     }
     catch (HttpAuthenticationException e) {
@@ -105,8 +108,9 @@ public class ThriftHttpServlet extends T
       response.getWriter().println("Authentication Error: " + e.getMessage());
     }
     finally {
-      // Clear the thread local username since we set it in each http request
+      // Clear the thread locals
       SessionManager.clearUserName();
+      SessionManager.clearIpAddress();
       SessionManager.clearProxyUserName();
     }
   }