You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by sp...@apache.org on 2015/09/28 05:12:02 UTC
hive git commit: HIVE-10048: JDBC - Support SSL encryption regardless
of Authentication mechanism (Mubashir Kazia, reviewed by Sergio Pena)
Repository: hive
Updated Branches:
refs/heads/master e570e4f0c -> abe622be4
HIVE-10048: JDBC - Support SSL encryption regardless of Authentication mechanism (Mubashir Kazia, reviewed by Sergio Pena)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/abe622be
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/abe622be
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/abe622be
Branch: refs/heads/master
Commit: abe622be4e82781ea831da3d01c093cdf532c93d
Parents: e570e4f
Author: Sergio Pena <se...@cloudera.com>
Authored: Sun Sep 27 22:10:22 2015 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Sun Sep 27 22:10:22 2015 -0500
----------------------------------------------------------------------
.../org/apache/hive/jdbc/HiveConnection.java | 63 ++++++++++++--------
1 file changed, 37 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/abe622be/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
----------------------------------------------------------------------
diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
index ba971fd..2969bc6 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
@@ -419,6 +419,38 @@ public class HiveConnection implements java.sql.Connection {
}
/**
+ * Create underlying SSL or non-SSL transport
+ *
+ * @return TTransport
+ * @throws TTransportException
+ */
+ private TTransport createUnderlyingTransport() throws TTransportException {
+ TTransport transport = null;
+ // Note: Thrift returns an SSL socket that is already bound to the specified host:port
+ // Therefore an open called on this would be a no-op later
+ // Hence, any TTransportException related to connecting with the peer are thrown here.
+ // Bubbling them up the call hierarchy so that a retry can happen in openTransport,
+ // if dynamic service discovery is configured.
+ if (isSslConnection()) {
+ // get SSL socket
+ String sslTrustStore = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
+ String sslTrustStorePassword = sessConfMap.get(
+ JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+
+ if (sslTrustStore == null || sslTrustStore.isEmpty()) {
+ transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout);
+ } else {
+ transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout,
+ sslTrustStore, sslTrustStorePassword);
+ }
+ } else {
+ // get non-SSL socket transport
+ transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout);
+ }
+ return transport;
+ }
+
+ /**
* Create transport per the connection options
* Supported transport options are:
* - SASL based transports over
@@ -433,6 +465,7 @@ public class HiveConnection implements java.sql.Connection {
*/
private TTransport createBinaryTransport() throws SQLException, TTransportException {
try {
+ TTransport socketTransport = createUnderlyingTransport();
// handle secure connection if specified
if (!JdbcConnectionParams.AUTH_SIMPLE.equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE))) {
// If Kerberos
@@ -454,46 +487,24 @@ public class HiveConnection implements java.sql.Connection {
if (sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL)) {
transport = KerberosSaslHelper.getKerberosTransport(
sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host,
- HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps,
- assumeSubject);
+ socketTransport, saslProps, assumeSubject);
} else {
// If there's a delegation token available then use token based connection
String tokenStr = getClientDelegationToken(sessConfMap);
if (tokenStr != null) {
transport = KerberosSaslHelper.getTokenTransport(tokenStr,
- host, HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps);
+ host, socketTransport, saslProps);
} else {
// we are using PLAIN Sasl connection with user/password
String userName = getUserName();
String passwd = getPassword();
- // Note: Thrift returns an SSL socket that is already bound to the specified host:port
- // Therefore an open called on this would be a no-op later
- // Hence, any TTransportException related to connecting with the peer are thrown here.
- // Bubbling them up the call hierarchy so that a retry can happen in openTransport,
- // if dynamic service discovery is configured.
- if (isSslConnection()) {
- // get SSL socket
- String sslTrustStore = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String sslTrustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
-
- if (sslTrustStore == null || sslTrustStore.isEmpty()) {
- transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout);
- } else {
- transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout,
- sslTrustStore, sslTrustStorePassword);
- }
- } else {
- // get non-SSL socket transport
- transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout);
- }
// Overlay the SASL transport on top of the base socket transport (SSL or non-SSL)
- transport = PlainSaslHelper.getPlainTransport(userName, passwd, transport);
+ transport = PlainSaslHelper.getPlainTransport(userName, passwd, socketTransport);
}
}
} else {
// Raw socket connection (non-sasl)
- transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout);
+ transport = socketTransport;
}
} catch (SaslException e) {
throw new SQLException("Could not create secure connection to "