You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2013/04/20 05:40:10 UTC
svn commit: r1470102 - in /hive/trunk:
common/src/java/org/apache/hadoop/hive/conf/ conf/
service/src/java/org/apache/hive/service/auth/
service/src/java/org/apache/hive/service/cli/
service/src/java/org/apache/hive/service/cli/thrift/ service/src/test...
Author: hashutosh
Date: Sat Apr 20 03:40:10 2013
New Revision: 1470102
URL: http://svn.apache.org/r1470102
Log:
HIVE-4356 : remove duplicate impersonation parameters for hiveserver2 (Gunther Hagleitner via Ashutosh Chauhan)
Added:
hive/trunk/service/src/test/org/apache/hive/service/auth/
hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java
hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/
hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java
Modified:
hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
hive/trunk/conf/hive-default.xml.template
hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java
hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Sat Apr 20 03:40:10 2013
@@ -709,8 +709,8 @@ public class HiveConf extends Configurat
HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", ""),
HIVE_SERVER2_PLAIN_LDAP_URL("hive.server2.authentication.ldap.url", null),
HIVE_SERVER2_PLAIN_LDAP_BASEDN("hive.server2.authentication.ldap.baseDN", null),
- HIVE_SERVER2_KERBEROS_IMPERSONATION("hive.server2.enable.impersonation", false),
HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS("hive.server2.custom.authentication.class", null),
+ HIVE_SERVER2_ENABLE_DOAS("hive.server2.enable.doAs", true),
HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", null),
Modified: hive/trunk/conf/hive-default.xml.template
URL: http://svn.apache.org/viewvc/hive/trunk/conf/hive-default.xml.template?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/conf/hive-default.xml.template (original)
+++ hive/trunk/conf/hive-default.xml.template Sat Apr 20 03:40:10 2013
@@ -1841,7 +1841,6 @@
</description>
</property>
-
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value></value>
@@ -1850,5 +1849,15 @@
</description>
</property>
+<property>
+ <name>hive.server2.enable.doAs</name>
+ <value>true</value>
+ <description>
+ Setting this property to true will have hive server2 execute
+ hive operations as the user making the calls to it.
+ </description>
+</property>
+
+
</configuration>
Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java Sat Apr 20 03:40:10 2013
@@ -103,7 +103,7 @@ public class PlainSaslHelper {
super(null);
this.service = service;
this.conf = service.getHiveConf();
- this.doAsEnabled = conf.getBoolean("hive.server2.enable.doAs", false);
+ this.doAsEnabled = conf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS);
}
@Override
Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java Sat Apr 20 03:40:10 2013
@@ -309,7 +309,7 @@ public class CLIService extends Composit
public synchronized String getDelegationTokenFromMetaStore(String owner)
throws HiveSQLException, UnsupportedOperationException, LoginException, IOException {
if (!hiveConf.getBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL) ||
- !hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION)) {
+ !hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
throw new UnsupportedOperationException(
"delegation token is can only be obtained for a secure remote metastore");
}
Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Sat Apr 20 03:40:10 2013
@@ -18,16 +18,20 @@
package org.apache.hive.service.cli.thrift;
+import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.HashMap;
import java.util.Map;
+import javax.security.auth.login.LoginException;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hive.service.AbstractService;
import org.apache.hive.service.auth.HiveAuthFactory;
+import org.apache.hive.service.cli.CLIService;
import org.apache.hive.service.cli.FetchOrientation;
import org.apache.hive.service.cli.GetInfoType;
import org.apache.hive.service.cli.GetInfoValue;
@@ -35,7 +39,6 @@ import org.apache.hive.service.cli.HiveS
import org.apache.hive.service.cli.OperationHandle;
import org.apache.hive.service.cli.OperationState;
import org.apache.hive.service.cli.RowSet;
-import org.apache.hive.service.cli.CLIService;
import org.apache.hive.service.cli.SessionHandle;
import org.apache.hive.service.cli.TableSchema;
import org.apache.thrift.TException;
@@ -110,28 +113,7 @@ public class ThriftCLIService extends Ab
public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException {
TOpenSessionResp resp = new TOpenSessionResp();
try {
- String userName;
- if (hiveAuthFactory != null
- && hiveAuthFactory.getRemoteUser() != null) {
- userName = hiveAuthFactory.getRemoteUser();
- } else {
- userName = req.getUsername();
- }
- SessionHandle sessionHandle = null;
- if (cliService.getHiveConf().
- getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION)) {
- String delegationTokenStr = null;
- try {
- delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName);
- } catch (UnsupportedOperationException e) {
- // The delegation token is not applicable in the given deployment mode
- }
- sessionHandle = cliService.openSessionWithImpersonation(userName, req.getPassword(),
- req.getConfiguration(), delegationTokenStr);
- } else {
- sessionHandle = cliService.openSession(userName, req.getPassword(),
- req.getConfiguration());
- }
+ SessionHandle sessionHandle = getSessionHandle(req);
resp.setSessionHandle(sessionHandle.toTSessionHandle());
// TODO: set real configuration map
resp.setConfiguration(new HashMap<String, String>());
@@ -143,6 +125,44 @@ public class ThriftCLIService extends Ab
return resp;
}
+ private String getUserName(TOpenSessionReq req) {
+ if (hiveAuthFactory != null
+ && hiveAuthFactory.getRemoteUser() != null) {
+ return hiveAuthFactory.getRemoteUser();
+ } else {
+ return req.getUsername();
+ }
+ }
+
+ SessionHandle getSessionHandle(TOpenSessionReq req)
+ throws HiveSQLException, LoginException, IOException {
+
+ String userName = getUserName(req);
+
+ SessionHandle sessionHandle = null;
+ if (
+ cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
+ .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString())
+ &&
+ cliService.getHiveConf().
+ getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)
+ )
+ {
+ String delegationTokenStr = null;
+ try {
+ delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName);
+ } catch (UnsupportedOperationException e) {
+ // The delegation token is not applicable in the given deployment mode
+ }
+ sessionHandle = cliService.openSessionWithImpersonation(userName, req.getPassword(),
+ req.getConfiguration(), delegationTokenStr);
+ } else {
+ sessionHandle = cliService.openSession(userName, req.getPassword(),
+ req.getConfiguration());
+ }
+ return sessionHandle;
+ }
+
@Override
public TCloseSessionResp CloseSession(TCloseSessionReq req) throws TException {
TCloseSessionResp resp = new TCloseSessionResp();
Added: hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java?rev=1470102&view=auto
==============================================================================
--- hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java (added)
+++ hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java Sat Apr 20 03:40:10 2013
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.auth;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.service.cli.CLIService;
+import org.apache.hive.service.cli.thrift.ThriftCLIService;
+import org.apache.thrift.TProcessorFactory;
+
+public class TestPlainSaslHelper extends TestCase {
+
+ /**
+ * Test setting {@link HiveConf.ConfVars}} config parameter
+ * HIVE_SERVER2_ENABLE_DOAS for unsecure mode
+ */
+ public void testDoAsSetting(){
+
+ HiveConf hconf = new HiveConf();
+ assertTrue("default value of hive server2 doAs should be true",
+ hconf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS));
+
+
+ CLIService cliService = new CLIService();
+ cliService.init(hconf);
+ ThriftCLIService tcliService = new ThriftCLIService(cliService);
+ tcliService.init(hconf);
+ TProcessorFactory procFactory = PlainSaslHelper.getPlainProcessorFactory(tcliService);
+ assertEquals("doAs enabled processor for unsecure mode",
+ procFactory.getProcessor(null).getClass(), TUGIContainingProcessor.class);
+ }
+}
Added: hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java?rev=1470102&view=auto
==============================================================================
--- hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java (added)
+++ hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java Sat Apr 20 03:40:10 2013
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.cli.thrift;
+
+import java.io.IOException;
+import java.util.Collection;
+
+import javax.security.auth.login.LoginException;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.service.Service;
+import org.apache.hive.service.auth.HiveAuthFactory;
+import org.apache.hive.service.cli.CLIService;
+import org.apache.hive.service.cli.HiveSQLException;
+import org.apache.hive.service.cli.SessionHandle;
+import org.apache.hive.service.cli.session.HiveSession;
+import org.apache.hive.service.cli.session.SessionManager;
+
+public class TestThriftCLIService extends TestCase{
+
+ /**
+ * Test setting {@link HiveConf.ConfVars}} config parameter
+ * HIVE_SERVER2_ENABLE_DOAS for kerberos secure mode
+ * @throws IOException
+ * @throws LoginException
+ * @throws HiveSQLException
+ */
+ public void testDoAs() throws HiveSQLException, LoginException, IOException{
+ HiveConf hconf = new HiveConf();
+ assertTrue("default value of hive server2 doAs should be true",
+ hconf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS));
+
+ hconf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION,
+ HiveAuthFactory.AuthTypes.KERBEROS.toString());
+
+ CLIService cliService = new CLIService();
+ cliService.init(hconf);
+ ThriftCLIService tcliService = new ThriftCLIService(cliService);
+ TOpenSessionReq req = new TOpenSessionReq();
+ req.setUsername("testuser1");
+ SessionHandle sHandle = tcliService.getSessionHandle(req );
+ SessionManager sManager = getSessionManager(cliService.getServices());
+ HiveSession session = sManager.getSession(sHandle);
+
+ //Proxy class for doing doAs on all calls is used when doAs is enabled
+ // and kerberos security is on
+ assertTrue("check if session class is a proxy", session instanceof java.lang.reflect.Proxy);
+ }
+
+ private SessionManager getSessionManager(Collection<Service> services) {
+ for(Service s : services){
+ if(s instanceof SessionManager){
+ return (SessionManager)s;
+ }
+ }
+ return null;
+ }
+}