You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2013/11/04 21:51:00 UTC
svn commit: r1538758 - in /hive/trunk:
hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/
ql/src/java/org/apache/hadoop/hive/ql/security/
Author: thejas
Date: Mon Nov 4 20:50:59 2013
New Revision: 1538758
URL: http://svn.apache.org/r1538758
Log:
HIVE-5542 : Webhcat is failing to run ddl command on a secure cluster (Sushanth Sowmyan via Thejas Nair)
Added:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
Modified:
hive/trunk/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/HCatCli.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
Modified: hive/trunk/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/HCatCli.java
URL: http://svn.apache.org/viewvc/hive/trunk/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/HCatCli.java?rev=1538758&r1=1538757&r2=1538758&view=diff
==============================================================================
--- hive/trunk/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/HCatCli.java (original)
+++ hive/trunk/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/HCatCli.java Mon Nov 4 20:50:59 2013
@@ -76,8 +76,6 @@ public class HCatCli {
HiveConf.setVar(conf, ConfVars.SEMANTIC_ANALYZER_HOOK, HCatSemanticAnalyzer.class.getName());
- SessionState.start(ss);
-
Options options = new Options();
// -e 'quoted-query-string'
@@ -126,19 +124,30 @@ public class HCatCli {
cmdLine = parser.parse(options, args);
} catch (ParseException e) {
- printUsage(options, ss.err);
+ printUsage(options, System.err);
+ // Note, we print to System.err instead of ss.err, because if we can't parse our
+ // commandline, we haven't even begun, and therefore cannot be expected to have
+ // reasonably constructed or started the SessionState.
System.exit(1);
}
- // -e
- String execString = (String) cmdLine.getOptionValue('e');
- // -f
- String fileName = (String) cmdLine.getOptionValue('f');
+
+ // -D : process these first, so that we can instantiate SessionState appropriately.
+ setConfProperties(conf, cmdLine.getOptionProperties("D"));
+
+ // Now that the properties are in, we can instantiate SessionState.
+ SessionState.start(ss);
+
// -h
if (cmdLine.hasOption('h')) {
printUsage(options, ss.out);
System.exit(0);
}
+ // -e
+ String execString = (String) cmdLine.getOptionValue('e');
+
+ // -f
+ String fileName = (String) cmdLine.getOptionValue('f');
if (execString != null && fileName != null) {
ss.err.println("The '-e' and '-f' options cannot be specified simultaneously");
printUsage(options, ss.err);
@@ -157,8 +166,7 @@ public class HCatCli {
conf.set(HCatConstants.HCAT_GROUP, grp);
}
- // -D
- setConfProperties(conf, cmdLine.getOptionProperties("D"));
+ // all done parsing, let's run stuff!
if (execString != null) {
System.exit(processLine(execString));
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java?rev=1538758&r1=1538757&r2=1538758&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java Mon Nov 4 20:50:59 2013
@@ -28,10 +28,10 @@ import org.apache.hadoop.security.UserGr
public class HadoopDefaultAuthenticator implements HiveAuthenticationProvider {
- private String userName;
- private List<String> groupNames;
+ protected String userName;
+ protected List<String> groupNames;
- private Configuration conf;
+ protected Configuration conf;
@Override
public List<String> getGroupNames() {
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java?rev=1538758&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java Mon Nov 4 20:50:59 2013
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.hadoop.security.UserGroupInformation;
+
+/**
+ * ProxyUserAuthenticator extends HadoopDefaultAuthenticator
+ * but honours a proxy config setting proxy.user.name instead of the
+ * current user if set. This allows server processes like webhcat which
+ * proxy other users to easily specify an override if allowed.
+ */
+public class ProxyUserAuthenticator extends HadoopDefaultAuthenticator {
+
+ private static final String PROXY_USER_NAME = "proxy.user.name";
+
+ @Override
+ public void setConf(Configuration conf) {
+ this.conf = conf;
+ UserGroupInformation ugi = null;
+ String proxyUser = conf.get(PROXY_USER_NAME);
+
+ if (proxyUser == null){
+ super.setConf(conf);
+ return;
+ }
+
+ // If we're here, proxy user is set.
+
+ try {
+ ugi = ShimLoader.getHadoopShims().createRemoteUser(proxyUser,null);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+
+ if (ugi == null) {
+ throw new RuntimeException(
+ "Can not initialize ProxyUserAuthenticator for user ["+proxyUser+"]");
+ }
+
+ this.userName = ShimLoader.getHadoopShims().getShortUserName(ugi);
+ if (ugi.getGroupNames() != null) {
+ this.groupNames = Arrays.asList(ugi.getGroupNames());
+ }
+ }
+
+}