You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2015/12/12 00:52:32 UTC
[1/2] hive git commit: HIVE-12422 : LLAP: add security to Web UI
endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)
Repository: hive
Updated Branches:
refs/heads/branch-2.0 3cbcda530 -> 005eb6181
refs/heads/master 9c7a78ee3 -> fc19f6bf3
HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/fc19f6bf
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/fc19f6bf
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/fc19f6bf
Branch: refs/heads/master
Commit: fc19f6bf34a757194679f8c9fb352b4f149bad6c
Parents: 9c7a78e
Author: Sergey Shelukhin <se...@apache.org>
Authored: Fri Dec 11 15:51:48 2015 -0800
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Fri Dec 11 15:51:48 2015 -0800
----------------------------------------------------------------------
.../org/apache/hadoop/hive/conf/HiveConf.java | 2 ++
.../daemon/services/impl/LlapWebServices.java | 33 ++++++++++++++++----
2 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/fc19f6bf/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 182902e..56a39df 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -2398,6 +2398,8 @@ public class HiveConf extends Configuration {
"LLAP delegation token lifetime, in seconds if specified without a unit."),
LLAP_MANAGEMENT_RPC_PORT("hive.llap.management.rpc.port", 15004,
"RPC port for LLAP daemon management service."),
+ LLAP_WEB_AUTO_AUTH("hive.llap.auto.auth", true,
+ "Whether or not to set Hadoop configs to enable auth in LLAP web app."),
LLAP_DAEMON_RPC_NUM_HANDLERS("hive.llap.daemon.rpc.num.handlers", 5,
"Number of RPC handlers for LLAP daemon.", "llap.daemon.rpc.num.handlers"),
http://git-wip-us.apache.org/repos/asf/hive/blob/fc19f6bf/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
index 7856663..ed51f3c 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
@@ -20,16 +20,19 @@ package org.apache.hadoop.hive.llap.daemon.services.impl;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.http.HttpConfig.Policy;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.webapp.WebApp;
import org.apache.hadoop.yarn.webapp.WebApps;
+import org.apache.hadoop.yarn.webapp.WebApps.Builder;
public class LlapWebServices extends AbstractService {
private int port;
- private boolean ssl;
private Configuration conf;
private WebApp webApp;
private LlapWebApp webAppInstance;
@@ -45,7 +48,6 @@ public class LlapWebServices extends AbstractService {
this.conf.addResource(YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
this.port = HiveConf.getIntVar(conf, ConfVars.LLAP_DAEMON_WEB_PORT);
- this.ssl = HiveConf.getBoolVar(conf, ConfVars.LLAP_DAEMON_WEB_SSL);
this.webAppInstance = new LlapWebApp();
}
@@ -53,10 +55,29 @@ public class LlapWebServices extends AbstractService {
@Override
public void serviceStart() throws Exception {
String bindAddress = "0.0.0.0";
- this.webApp =
- WebApps.$for("llap").at(bindAddress).at(port).with(getConfig())
- /* TODO: security negotiation here */
- .start();
+ Configuration conf = getConfig();
+ if (UserGroupInformation.isSecurityEnabled()
+ && HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH)) {
+ conf.set("hadoop.http.authentication.type", "kerberos");
+ conf.set("hadoop.http.authentication.kerberos.principal",
+ HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL));
+ conf.set("hadoop.http.authentication.kerberos.keytab",
+ HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE));
+ String authFilterName = AuthenticationFilterInitializer.class.getName();
+ String initializers = conf.getTrimmed("hadoop.http.filter.initializers");
+ if (initializers == null || initializers.isEmpty()) {
+ initializers = authFilterName;
+ } else if (!initializers.contains(authFilterName)) {
+ initializers = authFilterName + "," + initializers;
+ }
+ conf.set("hadoop.http.filter.initializers", initializers);
+ }
+ Builder<Object> webAppBuilder =
+ WebApps.$for("llap").at(bindAddress).at(port).with(conf);
+ if (UserGroupInformation.isSecurityEnabled()) {
+ webAppBuilder.withHttpPolicy(conf, Policy.HTTPS_ONLY);
+ }
+ this.webApp = webAppBuilder.start();
}
public void serviceStop() throws Exception {
[2/2] hive git commit: HIVE-12422 : LLAP: add security to Web UI
endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)
Posted by se...@apache.org.
HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/005eb618
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/005eb618
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/005eb618
Branch: refs/heads/branch-2.0
Commit: 005eb6181b7ac0f02f120de80df7afc982f52445
Parents: 3cbcda5
Author: Sergey Shelukhin <se...@apache.org>
Authored: Fri Dec 11 15:51:48 2015 -0800
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Fri Dec 11 15:52:13 2015 -0800
----------------------------------------------------------------------
.../org/apache/hadoop/hive/conf/HiveConf.java | 2 ++
.../daemon/services/impl/LlapWebServices.java | 33 ++++++++++++++++----
2 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/005eb618/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index c7942fe..36e281a 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -2394,6 +2394,8 @@ public class HiveConf extends Configuration {
"LLAP delegation token lifetime, in seconds if specified without a unit."),
LLAP_MANAGEMENT_RPC_PORT("hive.llap.management.rpc.port", 15004,
"RPC port for LLAP daemon management service."),
+ LLAP_WEB_AUTO_AUTH("hive.llap.auto.auth", true,
+ "Whether or not to set Hadoop configs to enable auth in LLAP web app."),
LLAP_DAEMON_RPC_NUM_HANDLERS("hive.llap.daemon.rpc.num.handlers", 5,
"Number of RPC handlers for LLAP daemon.", "llap.daemon.rpc.num.handlers"),
http://git-wip-us.apache.org/repos/asf/hive/blob/005eb618/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
index 7856663..ed51f3c 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
@@ -20,16 +20,19 @@ package org.apache.hadoop.hive.llap.daemon.services.impl;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.http.HttpConfig.Policy;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.webapp.WebApp;
import org.apache.hadoop.yarn.webapp.WebApps;
+import org.apache.hadoop.yarn.webapp.WebApps.Builder;
public class LlapWebServices extends AbstractService {
private int port;
- private boolean ssl;
private Configuration conf;
private WebApp webApp;
private LlapWebApp webAppInstance;
@@ -45,7 +48,6 @@ public class LlapWebServices extends AbstractService {
this.conf.addResource(YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
this.port = HiveConf.getIntVar(conf, ConfVars.LLAP_DAEMON_WEB_PORT);
- this.ssl = HiveConf.getBoolVar(conf, ConfVars.LLAP_DAEMON_WEB_SSL);
this.webAppInstance = new LlapWebApp();
}
@@ -53,10 +55,29 @@ public class LlapWebServices extends AbstractService {
@Override
public void serviceStart() throws Exception {
String bindAddress = "0.0.0.0";
- this.webApp =
- WebApps.$for("llap").at(bindAddress).at(port).with(getConfig())
- /* TODO: security negotiation here */
- .start();
+ Configuration conf = getConfig();
+ if (UserGroupInformation.isSecurityEnabled()
+ && HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH)) {
+ conf.set("hadoop.http.authentication.type", "kerberos");
+ conf.set("hadoop.http.authentication.kerberos.principal",
+ HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL));
+ conf.set("hadoop.http.authentication.kerberos.keytab",
+ HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE));
+ String authFilterName = AuthenticationFilterInitializer.class.getName();
+ String initializers = conf.getTrimmed("hadoop.http.filter.initializers");
+ if (initializers == null || initializers.isEmpty()) {
+ initializers = authFilterName;
+ } else if (!initializers.contains(authFilterName)) {
+ initializers = authFilterName + "," + initializers;
+ }
+ conf.set("hadoop.http.filter.initializers", initializers);
+ }
+ Builder<Object> webAppBuilder =
+ WebApps.$for("llap").at(bindAddress).at(port).with(conf);
+ if (UserGroupInformation.isSecurityEnabled()) {
+ webAppBuilder.withHttpPolicy(conf, Policy.HTTPS_ONLY);
+ }
+ this.webApp = webAppBuilder.start();
}
public void serviceStop() throws Exception {