You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2016/07/13 04:36:14 UTC
[02/10] hive git commit: HIVE-14218 : LLAP: ACL validation fails if
the user name is different from principal user name (Sergey Shelukhin,
reviewed by Prasanth Jayachandran)
HIVE-14218 : LLAP: ACL validation fails if the user name is different from principal user name (Sergey Shelukhin, reviewed by Prasanth Jayachandran)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/605e5aa5
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/605e5aa5
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/605e5aa5
Branch: refs/heads/branch-2.1
Commit: 605e5aa5676e705cf8ebdbc1daf7caf817bc27ae
Parents: 744790e
Author: Sergey Shelukhin <se...@apache.org>
Authored: Tue Jul 12 20:27:58 2016 -0700
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Tue Jul 12 20:28:06 2016 -0700
----------------------------------------------------------------------
.../hive/llap/registry/impl/LlapZookeeperRegistryImpl.java | 9 ++-------
.../src/java/org/apache/hadoop/hive/llap/LlapUtil.java | 7 +++++++
.../org/apache/hadoop/hive/llap/security/SecretManager.java | 7 +++++--
3 files changed, 14 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/605e5aa5/llap-client/src/java/org/apache/hadoop/hive/llap/registry/impl/LlapZookeeperRegistryImpl.java
----------------------------------------------------------------------
diff --git a/llap-client/src/java/org/apache/hadoop/hive/llap/registry/impl/LlapZookeeperRegistryImpl.java b/llap-client/src/java/org/apache/hadoop/hive/llap/registry/impl/LlapZookeeperRegistryImpl.java
index 6b0a42e..a3c80a6 100644
--- a/llap-client/src/java/org/apache/hadoop/hive/llap/registry/impl/LlapZookeeperRegistryImpl.java
+++ b/llap-client/src/java/org/apache/hadoop/hive/llap/registry/impl/LlapZookeeperRegistryImpl.java
@@ -50,6 +50,7 @@ import org.apache.curator.utils.CloseableUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.llap.LlapUtil;
import org.apache.hadoop.hive.llap.registry.ServiceInstance;
import org.apache.hadoop.hive.llap.registry.ServiceInstanceSet;
import org.apache.hadoop.hive.llap.registry.ServiceInstanceStateChangeListener;
@@ -734,7 +735,7 @@ public class LlapZookeeperRegistryImpl implements ServiceRegistry {
System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, SASL_LOGIN_CONTEXT_NAME);
principal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
- userNameFromPrincipal = getUserNameFromPrincipal(principal);
+ userNameFromPrincipal = LlapUtil.getUserNameFromPrincipal(principal);
JaasConfiguration jaasConf = new JaasConfiguration(SASL_LOGIN_CONTEXT_NAME, principal,
keyTabFile);
@@ -742,12 +743,6 @@ public class LlapZookeeperRegistryImpl implements ServiceRegistry {
javax.security.auth.login.Configuration.setConfiguration(jaasConf);
}
- private String getUserNameFromPrincipal(String principal) {
- // Based on SecurityUtil.
- String[] components = principal.split("[/@]");
- return (components == null || components.length != 3) ? principal : components[0];
- }
-
/**
* A JAAS configuration for ZooKeeper clients intended to use for SASL
* Kerberos.
http://git-wip-us.apache.org/repos/asf/hive/blob/605e5aa5/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
----------------------------------------------------------------------
diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
index 9dcacea..505ddb1 100644
--- a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
+++ b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
@@ -49,4 +49,11 @@ public class LlapUtil {
String hosts = HiveConf.getTrimmedVar(conf, ConfVars.LLAP_DAEMON_SERVICE_HOSTS);
return hostsRe.matcher(hosts.startsWith("@") ? hosts.substring(1) : hosts).replaceAll("_");
}
+
+ public static String getUserNameFromPrincipal(String principal) {
+ // Based on SecurityUtil.
+ if (principal == null) return null;
+ String[] components = principal.split("[/@]");
+ return (components == null || components.length != 3) ? principal : components[0];
+ }
}
http://git-wip-us.apache.org/repos/asf/hive/blob/605e5aa5/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
----------------------------------------------------------------------
diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
index dc06cc9..1464278 100644
--- a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
+++ b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
@@ -62,13 +62,16 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent
@Override
public void startThreads() throws IOException {
- LOG.info("Starting ZK threads as user " + UserGroupInformation.getCurrentUser());
+ String principalUser = LlapUtil.getUserNameFromPrincipal(
+ conf.get(SecretManager.ZK_DTSM_ZK_KERBEROS_PRINCIPAL));
+ LOG.info("Starting ZK threads as user " + UserGroupInformation.getCurrentUser()
+ + "; kerberos principal is configured for user (short user name) " + principalUser);
super.startThreads();
if (!HiveConf.getBoolVar(conf, ConfVars.LLAP_VALIDATE_ACLS)
|| !UserGroupInformation.isSecurityEnabled()) return;
String path = conf.get(ZK_DTSM_ZNODE_WORKING_PATH, null);
if (path == null) throw new AssertionError("Path was not set in config");
- checkRootAcls(conf, path, UserGroupInformation.getCurrentUser().getShortUserName());
+ checkRootAcls(conf, path, principalUser);
}
// Workaround for HADOOP-12659 - remove when Hadoop 2.7.X is no longer supported.