You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2013/04/20 05:40:10 UTC
svn commit: r1470102 - in /hive/trunk: common/src/java/org/apache/hadoop/hive/conf/ conf/ service/src/java/org/apache/hive/service/auth/ service/src/java/org/apache/hive/service/cli/ service/src/java/org/apache/hive/service/cli/thrift/ service/src/test...

Author: hashutosh
Date: Sat Apr 20 03:40:10 2013
New Revision: 1470102

URL: http://svn.apache.org/r1470102
Log:
HIVE-4356 :  remove duplicate impersonation parameters for hiveserver2 (Gunther Hagleitner via Ashutosh Chauhan)

Added:
    hive/trunk/service/src/test/org/apache/hive/service/auth/
    hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java
    hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/
    hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java
Modified:
    hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
    hive/trunk/conf/hive-default.xml.template
    hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
    hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java
    hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java

Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Sat Apr 20 03:40:10 2013
@@ -709,8 +709,8 @@ public class HiveConf extends Configurat
     HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", ""),
     HIVE_SERVER2_PLAIN_LDAP_URL("hive.server2.authentication.ldap.url", null),
     HIVE_SERVER2_PLAIN_LDAP_BASEDN("hive.server2.authentication.ldap.baseDN", null),
-    HIVE_SERVER2_KERBEROS_IMPERSONATION("hive.server2.enable.impersonation", false),
     HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS("hive.server2.custom.authentication.class", null),
+    HIVE_SERVER2_ENABLE_DOAS("hive.server2.enable.doAs", true),
 
     HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", null),
 

Modified: hive/trunk/conf/hive-default.xml.template
URL: http://svn.apache.org/viewvc/hive/trunk/conf/hive-default.xml.template?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/conf/hive-default.xml.template (original)
+++ hive/trunk/conf/hive-default.xml.template Sat Apr 20 03:40:10 2013
@@ -1841,7 +1841,6 @@
   </description>
 </property>
 
-
 <property>
   <name>hive.server2.authentication.ldap.baseDN</name>
   <value></value>
@@ -1850,5 +1849,15 @@
   </description>
 </property>
 
+<property>
+  <name>hive.server2.enable.doAs</name>
+  <value>true</value>
+  <description>
+   Setting this property to true will have hive server2 execute
+    hive operations as the user making the calls to it.
+  </description>
+</property>
+
+
 </configuration>
 

Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java Sat Apr 20 03:40:10 2013
@@ -103,7 +103,7 @@ public class PlainSaslHelper {
       super(null);
       this.service = service;
       this.conf = service.getHiveConf();
-      this.doAsEnabled = conf.getBoolean("hive.server2.enable.doAs", false);
+      this.doAsEnabled = conf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS);
     }
 
     @Override

Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/CLIService.java Sat Apr 20 03:40:10 2013
@@ -309,7 +309,7 @@ public class CLIService extends Composit
   public synchronized String getDelegationTokenFromMetaStore(String owner)
       throws HiveSQLException, UnsupportedOperationException, LoginException, IOException {
     if (!hiveConf.getBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL) ||
-        !hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION)) {
+        !hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS)) {
       throw new UnsupportedOperationException(
         "delegation token is can only be obtained for a secure remote metastore");
     }

Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1470102&r1=1470101&r2=1470102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Sat Apr 20 03:40:10 2013
@@ -18,16 +18,20 @@
 
 package org.apache.hive.service.cli.thrift;
 
+import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.security.auth.login.LoginException;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hive.service.AbstractService;
 import org.apache.hive.service.auth.HiveAuthFactory;
+import org.apache.hive.service.cli.CLIService;
 import org.apache.hive.service.cli.FetchOrientation;
 import org.apache.hive.service.cli.GetInfoType;
 import org.apache.hive.service.cli.GetInfoValue;
@@ -35,7 +39,6 @@ import org.apache.hive.service.cli.HiveS
 import org.apache.hive.service.cli.OperationHandle;
 import org.apache.hive.service.cli.OperationState;
 import org.apache.hive.service.cli.RowSet;
-import org.apache.hive.service.cli.CLIService;
 import org.apache.hive.service.cli.SessionHandle;
 import org.apache.hive.service.cli.TableSchema;
 import org.apache.thrift.TException;
@@ -110,28 +113,7 @@ public class ThriftCLIService extends Ab
   public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException {
     TOpenSessionResp resp = new TOpenSessionResp();
     try {
-      String userName;
-      if (hiveAuthFactory != null
-          && hiveAuthFactory.getRemoteUser() != null) {
-        userName = hiveAuthFactory.getRemoteUser();
-      } else {
-        userName = req.getUsername();
-      }
-      SessionHandle sessionHandle = null;
-      if (cliService.getHiveConf().
-          getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION)) {
-        String delegationTokenStr = null;
-        try {
-          delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName);
-        } catch (UnsupportedOperationException e) {
-          // The delegation token is not applicable in the given deployment mode
-        }
-        sessionHandle = cliService.openSessionWithImpersonation(userName, req.getPassword(),
-              req.getConfiguration(), delegationTokenStr);
-      } else {
-        sessionHandle = cliService.openSession(userName, req.getPassword(),
-              req.getConfiguration());
-      }
+      SessionHandle sessionHandle = getSessionHandle(req);
       resp.setSessionHandle(sessionHandle.toTSessionHandle());
       // TODO: set real configuration map
       resp.setConfiguration(new HashMap<String, String>());
@@ -143,6 +125,44 @@ public class ThriftCLIService extends Ab
     return resp;
   }
 
+  private String getUserName(TOpenSessionReq req) {
+    if (hiveAuthFactory != null
+        && hiveAuthFactory.getRemoteUser() != null) {
+      return hiveAuthFactory.getRemoteUser();
+    } else {
+      return req.getUsername();
+    }
+  }
+
+  SessionHandle getSessionHandle(TOpenSessionReq req)
+      throws HiveSQLException, LoginException, IOException {
+
+    String userName = getUserName(req);
+
+    SessionHandle sessionHandle = null;
+    if (
+        cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
+        .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString())
+        &&
+        cliService.getHiveConf().
+        getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)
+        )
+    {
+      String delegationTokenStr = null;
+      try {
+        delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName);
+      } catch (UnsupportedOperationException e) {
+        // The delegation token is not applicable in the given deployment mode
+      }
+      sessionHandle = cliService.openSessionWithImpersonation(userName, req.getPassword(),
+            req.getConfiguration(), delegationTokenStr);
+    } else {
+      sessionHandle = cliService.openSession(userName, req.getPassword(),
+            req.getConfiguration());
+    }
+    return sessionHandle;
+  }
+
   @Override
   public TCloseSessionResp CloseSession(TCloseSessionReq req) throws TException {
     TCloseSessionResp resp = new TCloseSessionResp();

Added: hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java?rev=1470102&view=auto
==============================================================================
--- hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java (added)
+++ hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java Sat Apr 20 03:40:10 2013
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.auth;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.service.cli.CLIService;
+import org.apache.hive.service.cli.thrift.ThriftCLIService;
+import org.apache.thrift.TProcessorFactory;
+
+public class TestPlainSaslHelper extends TestCase {
+
+  /**
+   * Test setting {@link HiveConf.ConfVars}} config parameter
+   *   HIVE_SERVER2_ENABLE_DOAS for unsecure mode
+   */
+  public void testDoAsSetting(){
+
+    HiveConf hconf = new HiveConf();
+    assertTrue("default value of hive server2 doAs should be true",
+        hconf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS));
+
+
+    CLIService cliService = new CLIService();
+    cliService.init(hconf);
+    ThriftCLIService tcliService = new ThriftCLIService(cliService);
+    tcliService.init(hconf);
+    TProcessorFactory procFactory = PlainSaslHelper.getPlainProcessorFactory(tcliService);
+    assertEquals("doAs enabled processor for unsecure mode",
+        procFactory.getProcessor(null).getClass(), TUGIContainingProcessor.class);
+  }
+}

Added: hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java?rev=1470102&view=auto
==============================================================================
--- hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java (added)
+++ hive/trunk/service/src/test/org/apache/hive/service/cli/thrift/TestThriftCLIService.java Sat Apr 20 03:40:10 2013
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.cli.thrift;
+
+import java.io.IOException;
+import java.util.Collection;
+
+import javax.security.auth.login.LoginException;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.service.Service;
+import org.apache.hive.service.auth.HiveAuthFactory;
+import org.apache.hive.service.cli.CLIService;
+import org.apache.hive.service.cli.HiveSQLException;
+import org.apache.hive.service.cli.SessionHandle;
+import org.apache.hive.service.cli.session.HiveSession;
+import org.apache.hive.service.cli.session.SessionManager;
+
+public class TestThriftCLIService extends TestCase{
+
+  /**
+   * Test setting {@link HiveConf.ConfVars}} config parameter
+   *   HIVE_SERVER2_ENABLE_DOAS for kerberos secure mode
+   * @throws IOException
+   * @throws LoginException
+   * @throws HiveSQLException
+   */
+  public void testDoAs() throws HiveSQLException, LoginException, IOException{
+    HiveConf hconf = new HiveConf();
+    assertTrue("default value of hive server2 doAs should be true",
+        hconf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS));
+
+    hconf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION,
+        HiveAuthFactory.AuthTypes.KERBEROS.toString());
+
+    CLIService cliService = new CLIService();
+    cliService.init(hconf);
+    ThriftCLIService tcliService = new ThriftCLIService(cliService);
+    TOpenSessionReq req = new TOpenSessionReq();
+    req.setUsername("testuser1");
+    SessionHandle sHandle = tcliService.getSessionHandle(req );
+    SessionManager sManager = getSessionManager(cliService.getServices());
+    HiveSession session = sManager.getSession(sHandle);
+
+    //Proxy class for doing doAs on all calls is used when doAs is enabled
+    // and kerberos security is on
+    assertTrue("check if session class is a proxy", session instanceof java.lang.reflect.Proxy);
+  }
+
+  private SessionManager getSessionManager(Collection<Service> services) {
+    for(Service s : services){
+      if(s instanceof SessionManager){
+        return (SessionManager)s;
+      }
+    }
+    return null;
+  }
+}