You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/04/05 21:59:57 UTC
svn commit: r1585198 - in
/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli:
session/SessionManager.java thrift/ThriftCLIService.java
thrift/ThriftHttpServlet.java
Author: thejas
Date: Sat Apr 5 19:59:57 2014
New Revision: 1585198
URL: http://svn.apache.org/r1585198
Log:
HIVE-6738 : HiveServer2 secure Thrift/HTTP needs to accept doAs parameter from proxying intermediary (Dilli Arumugam via Thejas Nair)
Modified:
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/session/SessionManager.java?rev=1585198&r1=1585197&r2=1585198&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/session/SessionManager.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/session/SessionManager.java Sat Apr 5 19:59:57 2014
@@ -183,6 +183,26 @@ public class SessionManager extends Comp
return threadLocalUserName.get();
}
+ private static ThreadLocal<String> threadLocalProxyUserName = new ThreadLocal<String>(){
+ @Override
+ protected synchronized String initialValue() {
+ return null;
+ }
+ };
+
+ public static void setProxyUserName(String userName) {
+ LOG.debug("setting proxy user name based on query param to: " + userName);
+ threadLocalProxyUserName.set(userName);
+ }
+
+ public static String getProxyUserName() {
+ return threadLocalProxyUserName.get();
+ }
+
+ public static void clearProxyUserName() {
+ threadLocalProxyUserName.remove();
+ }
+
// execute session hooks
private void executeSessionHooks(HiveSession session) throws Exception {
List<HiveSessionHook> sessionHooks = HookUtils.getHooks(hiveConf,
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1585198&r1=1585197&r2=1585198&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Sat Apr 5 19:59:57 2014
@@ -539,12 +539,21 @@ public abstract class ThriftCLIService e
*/
private String getProxyUser(String realUser, Map<String, String> sessionConf,
String ipAddress) throws HiveSQLException {
- if (sessionConf == null || !sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) {
+
+ String proxyUser = SessionManager.getProxyUserName();
+ LOG.debug("Proxy user from query string: " + proxyUser);
+
+ if (proxyUser == null && sessionConf != null && sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) {
+ String proxyUserFromThriftBody = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER);
+ LOG.debug("Proxy user from thrift body: " + proxyUserFromThriftBody);
+ proxyUser = proxyUserFromThriftBody;
+ }
+
+ if (proxyUser == null) {
return realUser;
}
- // Extract the proxy user name and check if we are allowed to do the substitution
- String proxyUser = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER);
+ // check whether substitution is allowed
if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ALLOW_USER_SUBSTITUTION)) {
throw new HiveSQLException("Proxy user substitution is not allowed");
}
@@ -557,7 +566,9 @@ public abstract class ThriftCLIService e
// Verify proxy user privilege of the realUser for the proxyUser
HiveAuthFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hiveConf);
+ LOG.debug("Verified proxy user: " + proxyUser);
return proxyUser;
}
+
}
Modified: hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java?rev=1585198&r1=1585197&r2=1585198&view=diff
==============================================================================
--- hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java (original)
+++ hive/branches/branch-0.13/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java Sat Apr 5 19:59:57 2014
@@ -21,6 +21,9 @@ package org.apache.hive.service.cli.thri
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
+import java.util.Map;
+import java.util.Set;
+
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -76,6 +79,11 @@ public class ThriftHttpServlet extends T
// For a kerberos setup
if(isKerberosAuthMode(authType)) {
clientUserName = doKerberosAuth(request);
+ String doAsQueryParam = getDoAsQueryParam(request.getQueryString());
+ if (doAsQueryParam != null) {
+ SessionManager.setProxyUserName(doAsQueryParam);
+ }
+
}
else {
clientUserName = doPasswdAuth(request, authType);
@@ -99,6 +107,7 @@ public class ThriftHttpServlet extends T
finally {
// Clear the thread local username since we set it in each http request
SessionManager.clearUserName();
+ SessionManager.clearProxyUserName();
}
}
@@ -297,6 +306,20 @@ public class ThriftHttpServlet extends T
return authType.equalsIgnoreCase(HiveAuthFactory.AuthTypes.KERBEROS.toString());
}
+ private static String getDoAsQueryParam(String queryString) {
+ if (queryString == null) {
+ return null;
+ }
+ Map<String, String[]> params = javax.servlet.http.HttpUtils.parseQueryString( queryString );
+ Set<String> keySet = params.keySet();
+ for (String key: keySet) {
+ if (key.equalsIgnoreCase("doAs")) {
+ return params.get(key)[0];
+ }
+ }
+ return null;
+ }
+
}