You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by br...@apache.org on 2014/11/22 20:08:55 UTC
svn commit: r1641102 - in
/hive/trunk/service/src/java/org/apache/hive/service: ServiceUtils.java
auth/LdapAuthenticationProviderImpl.java cli/thrift/ThriftCLIService.java
Author: brock
Date: Sat Nov 22 19:08:54 2014
New Revision: 1641102
URL: http://svn.apache.org/r1641102
Log:
HIVE-8916 - Handle user@domain username under LDAP authentication (Mohit Sabharwal via Brock)
Added:
hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java
Modified:
hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
Added: hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java?rev=1641102&view=auto
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java (added)
+++ hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java Sat Nov 22 19:08:54 2014
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service;
+
+public class ServiceUtils {
+
+ /*
+ * Get the index separating the user name from domain name (the user's name up
+ * to the first '/' or '@').
+ *
+ * @param userName full user name.
+ * @return index of domain match or -1 if not found
+ */
+ public static int indexOfDomainMatch(String userName) {
+ if (userName == null) {
+ return -1;
+ }
+
+ int idx = userName.indexOf('/');
+ int idx2 = userName.indexOf('@');
+ int endIdx = Math.min(idx, idx2); // Use the earlier match.
+ // Unless at least one of '/' or '@' was not found, in
+ // which case, user the latter match.
+ if (endIdx == -1) {
+ endIdx = Math.max(idx, idx2);
+ }
+ return endIdx;
+ }
+}
\ No newline at end of file
Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java?rev=1641102&r1=1641101&r2=1641102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java Sat Nov 22 19:08:54 2014
@@ -24,6 +24,7 @@ import javax.naming.directory.InitialDir
import javax.security.sasl.AuthenticationException;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hive.service.ServiceUtils;
public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvider {
@@ -45,10 +46,11 @@ public class LdapAuthenticationProviderI
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
- // If the domain is supplied, then append it. LDAP providers like Active Directory
- // use a fully qualified user name like foo@bar.com.
- if (ldapDomain != null) {
- user = user + "@" + ldapDomain;
+ // If the domain is available in the config, then append it unless domain is
+ // already part of the username. LDAP providers like Active Directory use a
+ // fully qualified user name like foo@bar.com.
+ if (!hasDomain(user) && ldapDomain != null) {
+ user = user + "@" + ldapDomain;
}
// setup the security principal
@@ -71,4 +73,7 @@ public class LdapAuthenticationProviderI
}
}
+ private boolean hasDomain(String userName) {
+ return (ServiceUtils.indexOfDomainMatch(userName) > 0);
+ }
}
Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1641102&r1=1641101&r2=1641102&view=diff
==============================================================================
--- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Sat Nov 22 19:08:54 2014
@@ -33,6 +33,7 @@ import org.apache.hadoop.hive.conf.HiveC
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hive.service.AbstractService;
import org.apache.hive.service.ServiceException;
+import org.apache.hive.service.ServiceUtils;
import org.apache.hive.service.auth.HiveAuthFactory;
import org.apache.hive.service.auth.TSetIpAddressProcessor;
import org.apache.hive.service.cli.*;
@@ -295,11 +296,24 @@ public abstract class ThriftCLIService e
if (userName == null) {
userName = req.getUsername();
}
+
+ userName = getShortName(userName);
String effectiveClientUser = getProxyUser(userName, req.getConfiguration(), getIpAddress());
LOG.debug("Client's username: " + effectiveClientUser);
return effectiveClientUser;
}
+ private String getShortName(String userName) {
+ String ret = null;
+ if (userName != null) {
+ int indexOfDomainMatch = ServiceUtils.indexOfDomainMatch(userName);
+ ret = (indexOfDomainMatch <= 0) ? userName :
+ userName.substring(0, indexOfDomainMatch);
+ }
+
+ return ret;
+ }
+
/**
* Create a session handle
* @param req