You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2016/05/02 21:03:45 UTC
hive git commit: HIVE-13446 : LLAP: set default management protocol
acls to deny all (Sergey Shelukhin, reviewed by Siddharth Seth)
Repository: hive
Updated Branches:
refs/heads/master 121d70f1c -> 2abea8e16
HIVE-13446 : LLAP: set default management protocol acls to deny all (Sergey Shelukhin, reviewed by Siddharth Seth)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/2abea8e1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/2abea8e1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/2abea8e1
Branch: refs/heads/master
Commit: 2abea8e16edc2466628934ffa1861066bb0470e8
Parents: 121d70f
Author: Sergey Shelukhin <se...@apache.org>
Authored: Mon May 2 11:57:34 2016 -0700
Committer: Sergey Shelukhin <se...@apache.org>
Committed: Mon May 2 11:57:34 2016 -0700
----------------------------------------------------------------------
.../org/apache/hadoop/hive/conf/HiveConf.java | 10 ++++
.../daemon/impl/LlapProtocolServerImpl.java | 57 ++++++++++++++++----
2 files changed, 57 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/2abea8e1/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index b13de92..2814353 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -306,6 +306,8 @@ public class HiveConf extends Configuration {
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_ACL.varname);
+ llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL_DENY.varname);
+ llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_ACL_DENY.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_DELEGATION_TOKEN_LIFETIME.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_RPC_PORT.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_WEB_AUTO_AUTH.varname);
@@ -334,6 +336,7 @@ public class HiveConf extends Configuration {
llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_WEB_PORT.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_WEB_SSL.varname);
llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_CONTAINER_ID.varname);
+ llapDaemonVarsSetLocal.add(ConfVars.LLAP_VALIDATE_ACLS.varname);
}
/**
@@ -2660,8 +2663,15 @@ public class HiveConf extends Configuration {
"ZooKeeper connection string for ZooKeeper SecretManager."),
// Note: do not rename to ..service.acl; Hadoop generates .hosts setting name from this,
// resulting in a collision with existing hive.llap.daemon.service.hosts and bizarre errors.
+ // These are read by Hadoop IPC, so you should check the usage and naming conventions (e.g.
+ // ".blocked" is a string hardcoded by Hadoop, and defaults are enforced elsewhere in Hive)
+ // before making changes or copy-pasting these.
LLAP_SECURITY_ACL("hive.llap.daemon.acl", "*", "The ACL for LLAP daemon."),
+ LLAP_SECURITY_ACL_DENY("hive.llap.daemon.acl.blocked", "", "The deny ACL for LLAP daemon."),
LLAP_MANAGEMENT_ACL("hive.llap.management.acl", "*", "The ACL for LLAP daemon management."),
+ LLAP_MANAGEMENT_ACL_DENY("hive.llap.management.acl.blocked", "",
+ "The deny ACL for LLAP daemon management."),
+
// Hadoop DelegationTokenManager default is 1 week.
LLAP_DELEGATION_TOKEN_LIFETIME("hive.llap.daemon.delegation.token.lifetime", "14d",
new TimeValidator(TimeUnit.SECONDS),
http://git-wip-us.apache.org/repos/asf/hive/blob/2abea8e1/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
index e99e689..dae1a3a 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
@@ -48,6 +48,7 @@ import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.hive.llap.security.LlapSecurityHelper;
import org.apache.hadoop.hive.llap.security.LlapTokenIdentifier;
@@ -69,6 +70,7 @@ public class LlapProtocolServerImpl extends AbstractService
private RPC.Server server, mngServer;
private final AtomicReference<InetSocketAddress> srvAddress, mngAddress;
private SecretManager zkSecretManager;
+ private String restrictedToUser = null;
public LlapProtocolServerImpl(int numHandlers,
ContainerRunner containerRunner,
@@ -128,6 +130,14 @@ public class LlapProtocolServerImpl extends AbstractService
startProtocolServers(conf, daemonImpl, managementImpl);
return;
}
+ if (isPermissiveManagementAcl(conf)) {
+ LOG.warn("Management protocol has a '*' ACL.");
+ try {
+ this.restrictedToUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
String llapPrincipal = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL),
llapKeytab = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
zkSecretManager = SecretManager.createSecretManager(conf, llapPrincipal, llapKeytab);
@@ -148,21 +158,29 @@ public class LlapProtocolServerImpl extends AbstractService
});
}
+ private static boolean isPermissiveManagementAcl(Configuration conf) {
+ return HiveConf.getBoolVar(conf, ConfVars.LLAP_VALIDATE_ACLS)
+ && AccessControlList.WILDCARD_ACL_VALUE.equals(
+ HiveConf.getVar(conf, ConfVars.LLAP_MANAGEMENT_ACL))
+ && "".equals(HiveConf.getVar(conf, ConfVars.LLAP_MANAGEMENT_ACL_DENY));
+ }
+
private void startProtocolServers(
Configuration conf, BlockingService daemonImpl, BlockingService managementImpl) {
server = startProtocolServer(srvPort, numHandlers, srvAddress, conf, daemonImpl,
- LlapProtocolBlockingPB.class);
+ LlapProtocolBlockingPB.class, ConfVars.LLAP_SECURITY_ACL, ConfVars.LLAP_SECURITY_ACL_DENY);
mngServer = startProtocolServer(mngPort, 2, mngAddress, conf, managementImpl,
- LlapManagementProtocolPB.class);
+ LlapManagementProtocolPB.class, ConfVars.LLAP_MANAGEMENT_ACL,
+ ConfVars.LLAP_MANAGEMENT_ACL_DENY);
}
private RPC.Server startProtocolServer(int srvPort, int numHandlers,
AtomicReference<InetSocketAddress> bindAddress, Configuration conf,
- BlockingService impl, Class<?> protocolClass) {
+ BlockingService impl, Class<?> protocolClass, ConfVars... aclVars) {
InetSocketAddress addr = new InetSocketAddress(srvPort);
RPC.Server server;
try {
- server = createServer(protocolClass, addr, conf, numHandlers, impl);
+ server = createServer(protocolClass, addr, conf, numHandlers, impl, aclVars);
server.start();
} catch (IOException e) {
LOG.error("Failed to run RPC Server on port: " + srvPort, e);
@@ -198,10 +216,23 @@ public class LlapProtocolServerImpl extends AbstractService
}
private RPC.Server createServer(Class<?> pbProtocol, InetSocketAddress addr, Configuration conf,
- int numHandlers, BlockingService blockingService) throws
+ int numHandlers, BlockingService blockingService, ConfVars... aclVars) throws
IOException {
- RPC.setProtocolEngine(conf, pbProtocol, ProtobufRpcEngine.class);
- RPC.Builder builder = new RPC.Builder(conf)
+ Configuration serverConf = conf;
+ boolean isSecurityEnabled = conf.getBoolean(
+ CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false);
+ if (isSecurityEnabled) {
+ // Enforce Hive defaults.
+ for (ConfVars acl : aclVars) {
+ if (conf.get(acl.varname) != null) continue; // Some value is set.
+ if (serverConf == conf) {
+ serverConf = new Configuration(conf);
+ }
+ serverConf.set(acl.varname, HiveConf.getVar(serverConf, acl)); // Set the default.
+ }
+ }
+ RPC.setProtocolEngine(serverConf, pbProtocol, ProtobufRpcEngine.class);
+ RPC.Builder builder = new RPC.Builder(serverConf)
.setProtocol(pbProtocol)
.setInstance(blockingService)
.setBindAddress(addr.getHostName())
@@ -211,9 +242,8 @@ public class LlapProtocolServerImpl extends AbstractService
builder = builder.setSecretManager(zkSecretManager);
}
RPC.Server server = builder.build();
-
- if (conf.getBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
- server.refreshServiceAcl(conf, new LlapDaemonPolicyProvider());
+ if (isSecurityEnabled) {
+ server.refreshServiceAcl(serverConf, new LlapDaemonPolicyProvider());
}
return server;
}
@@ -231,6 +261,13 @@ public class LlapProtocolServerImpl extends AbstractService
} catch (IOException e) {
throw new ServiceException(e);
}
+ if (restrictedToUser != null && !restrictedToUser.equals(ugi.getShortUserName())) {
+ throw new ServiceException("Management protocol ACL is too permissive. The access has been"
+ + " automatically restricted to " + restrictedToUser + "; " + ugi.getShortUserName()
+ + " is denied acccess. Please set " + ConfVars.LLAP_VALIDATE_ACLS.varname + " to false,"
+ + " or adjust " + ConfVars.LLAP_MANAGEMENT_ACL.varname + " and "
+ + ConfVars.LLAP_MANAGEMENT_ACL_DENY.varname + " to a more restrictive ACL.");
+ }
String user = ugi.getUserName();
Text owner = new Text(user);
Text realUser = null;