You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hive.apache.org by se...@apache.org on 2015/12/12 00:52:32 UTC

[1/2] hive git commit: HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)

Repository: hive
Updated Branches:
  refs/heads/branch-2.0 3cbcda530 -> 005eb6181
  refs/heads/master 9c7a78ee3 -> fc19f6bf3


HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/fc19f6bf
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/fc19f6bf
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/fc19f6bf

Branch: refs/heads/master
Commit: fc19f6bf34a757194679f8c9fb352b4f149bad6c
Parents: 9c7a78e
Author: Sergey Shelukhin <se...@apache.org>
Authored: Fri Dec 11 15:51:48 2015 -0800
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Fri Dec 11 15:51:48 2015 -0800

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   |  2 ++
 .../daemon/services/impl/LlapWebServices.java   | 33 ++++++++++++++++----
 2 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/fc19f6bf/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 182902e..56a39df 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -2398,6 +2398,8 @@ public class HiveConf extends Configuration {
         "LLAP delegation token lifetime, in seconds if specified without a unit."),
     LLAP_MANAGEMENT_RPC_PORT("hive.llap.management.rpc.port", 15004,
         "RPC port for LLAP daemon management service."),
+    LLAP_WEB_AUTO_AUTH("hive.llap.auto.auth", true,
+        "Whether or not to set Hadoop configs to enable auth in LLAP web app."),
 
     LLAP_DAEMON_RPC_NUM_HANDLERS("hive.llap.daemon.rpc.num.handlers", 5,
       "Number of RPC handlers for LLAP daemon.", "llap.daemon.rpc.num.handlers"),

http://git-wip-us.apache.org/repos/asf/hive/blob/fc19f6bf/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
index 7856663..ed51f3c 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
@@ -20,16 +20,19 @@ package org.apache.hadoop.hive.llap.daemon.services.impl;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.http.HttpConfig.Policy;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.webapp.WebApp;
 import org.apache.hadoop.yarn.webapp.WebApps;
+import org.apache.hadoop.yarn.webapp.WebApps.Builder;
 
 public class LlapWebServices extends AbstractService {
 
 
   private int port;
-  private boolean ssl;
   private Configuration conf;
   private WebApp webApp;
   private LlapWebApp webAppInstance;
@@ -45,7 +48,6 @@ public class LlapWebServices extends AbstractService {
     this.conf.addResource(YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
 
     this.port = HiveConf.getIntVar(conf, ConfVars.LLAP_DAEMON_WEB_PORT);
-    this.ssl = HiveConf.getBoolVar(conf, ConfVars.LLAP_DAEMON_WEB_SSL);
 
     this.webAppInstance = new LlapWebApp();
   }
@@ -53,10 +55,29 @@ public class LlapWebServices extends AbstractService {
   @Override
   public void serviceStart() throws Exception {
     String bindAddress = "0.0.0.0";
-    this.webApp =
-        WebApps.$for("llap").at(bindAddress).at(port).with(getConfig())
-        /* TODO: security negotiation here */
-            .start();
+    Configuration conf = getConfig();
+    if (UserGroupInformation.isSecurityEnabled()
+        && HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH)) {
+      conf.set("hadoop.http.authentication.type", "kerberos");
+      conf.set("hadoop.http.authentication.kerberos.principal",
+          HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL));
+      conf.set("hadoop.http.authentication.kerberos.keytab",
+          HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE));
+      String authFilterName = AuthenticationFilterInitializer.class.getName();
+      String initializers = conf.getTrimmed("hadoop.http.filter.initializers");
+      if (initializers == null || initializers.isEmpty()) {
+        initializers = authFilterName;
+      } else if (!initializers.contains(authFilterName)) {
+        initializers = authFilterName + "," + initializers;
+      }
+      conf.set("hadoop.http.filter.initializers", initializers);
+    }
+    Builder<Object> webAppBuilder =
+        WebApps.$for("llap").at(bindAddress).at(port).with(conf);
+    if (UserGroupInformation.isSecurityEnabled()) {
+      webAppBuilder.withHttpPolicy(conf, Policy.HTTPS_ONLY);
+    }
+    this.webApp = webAppBuilder.start();
   }
 
   public void serviceStop() throws Exception {

[2/2] hive git commit: HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)

Posted by se...@apache.org.

HIVE-12422 : LLAP: add security to Web UI endpoint (Sergey Shelukhin, reviewed by Siddharth Seth)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/005eb618
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/005eb618
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/005eb618

Branch: refs/heads/branch-2.0
Commit: 005eb6181b7ac0f02f120de80df7afc982f52445
Parents: 3cbcda5
Author: Sergey Shelukhin <se...@apache.org>
Authored: Fri Dec 11 15:51:48 2015 -0800
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Fri Dec 11 15:52:13 2015 -0800

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   |  2 ++
 .../daemon/services/impl/LlapWebServices.java   | 33 ++++++++++++++++----
 2 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/005eb618/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index c7942fe..36e281a 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -2394,6 +2394,8 @@ public class HiveConf extends Configuration {
         "LLAP delegation token lifetime, in seconds if specified without a unit."),
     LLAP_MANAGEMENT_RPC_PORT("hive.llap.management.rpc.port", 15004,
         "RPC port for LLAP daemon management service."),
+    LLAP_WEB_AUTO_AUTH("hive.llap.auto.auth", true,
+        "Whether or not to set Hadoop configs to enable auth in LLAP web app."),
 
     LLAP_DAEMON_RPC_NUM_HANDLERS("hive.llap.daemon.rpc.num.handlers", 5,
       "Number of RPC handlers for LLAP daemon.", "llap.daemon.rpc.num.handlers"),

http://git-wip-us.apache.org/repos/asf/hive/blob/005eb618/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
index 7856663..ed51f3c 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java
@@ -20,16 +20,19 @@ package org.apache.hadoop.hive.llap.daemon.services.impl;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.http.HttpConfig.Policy;
+import org.apache.hadoop.security.AuthenticationFilterInitializer;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.webapp.WebApp;
 import org.apache.hadoop.yarn.webapp.WebApps;
+import org.apache.hadoop.yarn.webapp.WebApps.Builder;
 
 public class LlapWebServices extends AbstractService {
 
 
   private int port;
-  private boolean ssl;
   private Configuration conf;
   private WebApp webApp;
   private LlapWebApp webAppInstance;
@@ -45,7 +48,6 @@ public class LlapWebServices extends AbstractService {
     this.conf.addResource(YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
 
     this.port = HiveConf.getIntVar(conf, ConfVars.LLAP_DAEMON_WEB_PORT);
-    this.ssl = HiveConf.getBoolVar(conf, ConfVars.LLAP_DAEMON_WEB_SSL);
 
     this.webAppInstance = new LlapWebApp();
   }
@@ -53,10 +55,29 @@ public class LlapWebServices extends AbstractService {
   @Override
   public void serviceStart() throws Exception {
     String bindAddress = "0.0.0.0";
-    this.webApp =
-        WebApps.$for("llap").at(bindAddress).at(port).with(getConfig())
-        /* TODO: security negotiation here */
-            .start();
+    Configuration conf = getConfig();
+    if (UserGroupInformation.isSecurityEnabled()
+        && HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH)) {
+      conf.set("hadoop.http.authentication.type", "kerberos");
+      conf.set("hadoop.http.authentication.kerberos.principal",
+          HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL));
+      conf.set("hadoop.http.authentication.kerberos.keytab",
+          HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE));
+      String authFilterName = AuthenticationFilterInitializer.class.getName();
+      String initializers = conf.getTrimmed("hadoop.http.filter.initializers");
+      if (initializers == null || initializers.isEmpty()) {
+        initializers = authFilterName;
+      } else if (!initializers.contains(authFilterName)) {
+        initializers = authFilterName + "," + initializers;
+      }
+      conf.set("hadoop.http.filter.initializers", initializers);
+    }
+    Builder<Object> webAppBuilder =
+        WebApps.$for("llap").at(bindAddress).at(port).with(conf);
+    if (UserGroupInformation.isSecurityEnabled()) {
+      webAppBuilder.withHttpPolicy(conf, Policy.HTTPS_ONLY);
+    }
+    this.webApp = webAppBuilder.start();
   }
 
   public void serviceStop() throws Exception {