You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/04/09 21:53:54 UTC
svn commit: r1586109 - in
/hive/branches/branch-0.13/service/src/java/org/apache/hive/service:
auth/HiveAuthFactory.java cli/thrift/ThriftCLIService.java
cli/thrift/ThriftHttpServlet.java
Author: thejas
Date: Wed Apr 9 19:53:54 2014
New Revision: 1586109
URL: http://svn.apache.org/r1586109
Log:
HIVE-6837 : HiveServer2 thrift/http mode & binary mode proxy user check fails reporting IP null for client (Vaibhav Gumashta via Thejas Nair)
Modified:
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java Wed Apr 9 19:53:54 2014
@@ -172,7 +172,11 @@ public class HiveAuthFactory {
}
public String getIpAddress() {
- return saslServer != null ? saslServer.getRemoteAddress().toString() : null;
+ if (saslServer != null && saslServer.getRemoteAddress() != null) {
+ return saslServer.getRemoteAddress().getHostAddress();
+ } else {
+ return null;
+ }
}
// Perform kerberos login using the hadoop shim API if the configuration is available
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Wed Apr 9 19:53:54 2014
@@ -201,16 +201,31 @@ public abstract class ThriftCLIService e
}
private String getIpAddress() {
- if (hiveAuthFactory != null) {
- return hiveAuthFactory.getIpAddress();
+ String clientIpAddress;
+ // Http transport mode.
+ // We set the thread local ip address, in ThriftHttpServlet.
+ if (cliService.getHiveConf().getVar(
+ ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) {
+ clientIpAddress = SessionManager.getIpAddress();
}
- return TSetIpAddressProcessor.getUserIpAddress();
+ else {
+ // Kerberos
+ if (isKerberosAuthMode()) {
+ clientIpAddress = hiveAuthFactory.getIpAddress();
+ }
+ // Except kerberos, NOSASL
+ else {
+ clientIpAddress = TSetIpAddressProcessor.getUserIpAddress();
+ }
+ }
+ LOG.debug("Client's IP Address: " + clientIpAddress);
+ return clientIpAddress;
}
private String getUserName(TOpenSessionReq req) throws HiveSQLException {
String userName = null;
// Kerberos
- if (hiveAuthFactory != null) {
+ if (isKerberosAuthMode()) {
userName = hiveAuthFactory.getRemoteUser();
}
// Except kerberos, NOSASL
@@ -539,9 +554,14 @@ public abstract class ThriftCLIService e
*/
private String getProxyUser(String realUser, Map<String, String> sessionConf,
String ipAddress) throws HiveSQLException {
-
- String proxyUser = SessionManager.getProxyUserName();
- LOG.debug("Proxy user from query string: " + proxyUser);
+ String proxyUser = null;
+ // Http transport mode.
+ // We set the thread local proxy username, in ThriftHttpServlet.
+ if (cliService.getHiveConf().getVar(
+ ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) {
+ proxyUser = SessionManager.getProxyUserName();
+ LOG.debug("Proxy user from query string: " + proxyUser);
+ }
if (proxyUser == null && sessionConf != null && sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) {
String proxyUserFromThriftBody = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER);
@@ -570,5 +590,10 @@ public abstract class ThriftCLIService e
return proxyUser;
}
+ private boolean isKerberosAuthMode() {
+ return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
+ .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString());
+ }
+
}
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java?rev=1586109&r1=1586108&r2=1586109&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java Wed Apr 9 19:53:54 2014
@@ -20,7 +20,6 @@ package org.apache.hive.service.cli.thri
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
-
import java.util.Map;
import java.util.Set;
@@ -75,6 +74,7 @@ public class ThriftHttpServlet extends T
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String clientUserName;
+ String clientIpAddress;
try {
// For a kerberos setup
if(isKerberosAuthMode(authType)) {
@@ -83,16 +83,19 @@ public class ThriftHttpServlet extends T
if (doAsQueryParam != null) {
SessionManager.setProxyUserName(doAsQueryParam);
}
-
}
else {
clientUserName = doPasswdAuth(request, authType);
}
-
- LOG.info("Client username: " + clientUserName);
-
+ LOG.debug("Client username: " + clientUserName);
// Set the thread local username to be used for doAs if true
SessionManager.setUserName(clientUserName);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ // Set the thread local ip address
+ SessionManager.setIpAddress(clientIpAddress);
+
super.doPost(request, response);
}
catch (HttpAuthenticationException e) {
@@ -105,8 +108,9 @@ public class ThriftHttpServlet extends T
response.getWriter().println("Authentication Error: " + e.getMessage());
}
finally {
- // Clear the thread local username since we set it in each http request
+ // Clear the thread locals
SessionManager.clearUserName();
+ SessionManager.clearIpAddress();
SessionManager.clearProxyUserName();
}
}