You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ek...@apache.org on 2014/10/30 20:16:52 UTC

svn commit: r1635594 - in /hive/trunk: hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/ ql/src/java/org/apache/hadoop/hive/ql/security/ shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/

Author: ekoifman
Date: Thu Oct 30 19:16:51 2014
New Revision: 1635594

URL: http://svn.apache.org/r1635594
Log:
HIVE-8643 DDL operations via WebHCat with doAs parameter in secure cluster fail

Modified:
    hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
    hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java

Modified: hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
URL: http://svn.apache.org/viewvc/hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
--- hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java (original)
+++ hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java Thu Oct 30 19:16:51 2014
@@ -121,9 +121,9 @@ public class SecureProxySupport {
     if (isEnabled) {
       args.add("-D");
       args.add("hive.metastore.token.signature=" + getHcatServiceStr());
-      args.add("-D");
-      args.add("proxy.user.name=" + user);
     }
+    args.add("-D");
+    args.add("proxy.user.name=" + user);
   }
 
   class TokenWrapper {
@@ -140,6 +140,7 @@ public class SecureProxySupport {
     ugi.doAs(new PrivilegedExceptionAction<Object>() {
       public Object run() throws IOException {
         FileSystem fs = FileSystem.get(conf);
+        //todo: according to JavaDoc this seems like private API: addDelegationToken should be used
         twrapper.token = fs.getDelegationToken(ugi.getShortUserName());
         return null;
       }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java Thu Oct 30 19:16:51 2014
@@ -30,6 +30,8 @@ import org.apache.hadoop.security.UserGr
  * but honours a proxy config setting proxy.user.name instead of the
  * current user if set. This allows server processes like webhcat which
  * proxy other users to easily specify an override if allowed.
+ *
+ * It is no longer necessary to use this class with WebHCat as of Hive 0.14.
  */
 public class ProxyUserAuthenticator extends HadoopDefaultAuthenticator {
 

Modified: hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
URL: http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
--- hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java (original)
+++ hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java Thu Oct 30 19:16:51 2014
@@ -463,6 +463,16 @@ public abstract class HadoopShimsSecure 
 
   @Override
   public UserGroupInformation getUGIForConf(Configuration conf) throws IOException {
+    String doAs = conf.get("proxy.user.name");
+    if(doAs != null && doAs.length() > 0) {
+     /*
+      * this allows doAs (proxy user) to be passed along across process boundary where
+      * delegation tokens are not supported.  For example, a DDL stmt via WebHCat with
+      * a doAs parameter, forks to 'hcat' which needs to start a Session that
+      * proxies the end user
+      */
+      return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser());
+    }
     return UserGroupInformation.getCurrentUser();
   }