FAQ
Author: vgumashta
Date: Mon Oct 20 06:56:03 2014
New Revision: 1633061

URL: http://svn.apache.org/r1633061
Log:
HIVE-8377: Enable Kerberized SSL for HiveServer2 in http mode (Vaibhav Gumashta reviewed by Thejas Nair)

Modified:
     hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
     hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java

Modified: hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java?rev=1633061&r1=1633060&r2=1633061&view=diff
==============================================================================
--- hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (original)
+++ hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java Mon Oct 20 06:56:03 2014
@@ -258,15 +258,12 @@ public class HiveConnection implements j
      HttpRequestInterceptor requestInterceptor;
      // If Kerberos
      if (isKerberosAuthMode()) {
- if (useSsl) {
- String msg = "SSL encryption is currently not supported with " +
- "kerberos authentication";
- throw new SQLException(msg, " 08S01");
- }
        /**
         * Add an interceptor which sets the appropriate header in the request.
         * It does the kerberos authentication and get the final service ticket,
         * for sending to the server before every request.
+ * In https mode, the entire information is encrypted
+ * TODO: Optimize this with a mix of kerberos + using cookie.
         */
        requestInterceptor = new HttpKerberosRequestInterceptor(
            sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, getServerHttpUrl(false));
@@ -277,46 +274,46 @@ public class HiveConnection implements j
         * In https mode, the entire information is encrypted
         */
        requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword());
- // Configure httpClient for SSL
- if (useSsl) {
- String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String sslTrustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
- KeyStore sslTrustStore;
- SSLSocketFactory socketFactory;
- /**
- * The code within the try block throws:
- * 1. SSLInitializationException
- * 2. KeyStoreException
- * 3. IOException
- * 4. NoSuchAlgorithmException
- * 5. CertificateException
- * 6. KeyManagementException
- * 7. UnrecoverableKeyException
- * We don't want the client to retry on any of these, hence we catch all
- * and throw a SQLException.
- */
- try {
- if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
- // Create a default socket factory based on standard JSSE trust material
- socketFactory = SSLSocketFactory.getSocketFactory();
- }
- else {
- // Pick trust store config from the given path
- sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
- sslTrustStore.load(new FileInputStream(sslTrustStorePath),
- sslTrustStorePassword.toCharArray());
- socketFactory = new SSLSocketFactory(sslTrustStore);
- }
- socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
- Scheme sslScheme = new Scheme("https", 443, socketFactory);
- httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme);
+ }
+ // Configure httpClient for SSL
+ if (useSsl) {
+ String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
+ String sslTrustStorePassword = sessConfMap.get(
+ JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+ KeyStore sslTrustStore;
+ SSLSocketFactory socketFactory;
+ /**
+ * The code within the try block throws:
+ * 1. SSLInitializationException
+ * 2. KeyStoreException
+ * 3. IOException
+ * 4. NoSuchAlgorithmException
+ * 5. CertificateException
+ * 6. KeyManagementException
+ * 7. UnrecoverableKeyException
+ * We don't want the client to retry on any of these, hence we catch all
+ * and throw a SQLException.
+ */
+ try {
+ if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
+ // Create a default socket factory based on standard JSSE trust material
+ socketFactory = SSLSocketFactory.getSocketFactory();
          }
- catch (Exception e) {
- String msg = "Could not create an https connection to " +
- jdbcUriString + ". " + e.getMessage();
- throw new SQLException(msg, " 08S01", e);
+ else {
+ // Pick trust store config from the given path
+ sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
+ sslTrustStore.load(new FileInputStream(sslTrustStorePath),
+ sslTrustStorePassword.toCharArray());
+ socketFactory = new SSLSocketFactory(sslTrustStore);
          }
+ socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+ Scheme sslScheme = new Scheme("https", 443, socketFactory);
+ httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme);
+ }
+ catch (Exception e) {
+ String msg = "Could not create an https connection to " +
+ jdbcUriString + ". " + e.getMessage();
+ throw new SQLException(msg, " 08S01", e);
        }
      }
      httpClient.addRequestInterceptor(requestInterceptor);

Modified: hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java?rev=1633061&r1=1633060&r2=1633061&view=diff
==============================================================================
--- hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java (original)
+++ hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java Mon Oct 20 06:56:03 2014
@@ -29,12 +29,10 @@ import org.apache.hadoop.hive.shims.Shim
  import org.apache.hadoop.security.UserGroupInformation;
  import org.apache.hadoop.util.Shell;
  import org.apache.hive.service.auth.HiveAuthFactory;
-import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes;
  import org.apache.hive.service.cli.CLIService;
  import org.apache.hive.service.cli.thrift.TCLIService.Iface;
  import org.apache.hive.service.server.ThreadFactoryWithGarbageCleanup;
  import org.apache.thrift.TProcessor;
-import org.apache.thrift.TProcessorFactory;
  import org.apache.thrift.protocol.TBinaryProtocol;
  import org.apache.thrift.protocol.TProtocolFactory;
  import org.apache.thrift.server.TServlet;
@@ -60,9 +58,6 @@ public class ThriftHttpCLIService extend
    @Override
    public void run() {
      try {
- // Verify config validity
- verifyHttpConfiguration(hiveConf);
-
        // HTTP Server
        httpServer = new org.eclipse.jetty.server.Server();

@@ -162,32 +157,4 @@ public class ThriftHttpCLIService extend
      }
      return httpPath;
    }
-
- /**
- * Verify that this configuration is supported by transportMode of HTTP
- * @param hiveConf
- */
- private static void verifyHttpConfiguration(HiveConf hiveConf) {
- String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION);
-
- // Error out if KERBEROS auth mode is being used and use SSL is also set to true
- if(authType.equalsIgnoreCase(AuthTypes.KERBEROS.toString()) &&
- hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL)) {
- String msg = ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting of " +
- authType + " is not supported with " +
- ConfVars.HIVE_SERVER2_USE_SSL + " set to true";
- LOG.fatal(msg);
- throw new RuntimeException(msg);
- }
-
- // Warn that SASL is not used in http mode
- if(authType.equalsIgnoreCase(AuthTypes.NONE.toString())) {
- // NONE in case of thrift mode uses SASL
- LOG.warn(ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting to " +
- authType + ". SASL is not supported with http transport mode," +
- " so using equivalent of "
- + AuthTypes.NOSASL);
- }
- }
-
  }

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 1 | next ›
Discussion Overview
groupcommits @
categorieshive, hadoop
postedOct 20, '14 at 6:56a
activeOct 20, '14 at 6:56a
posts1
users1
websitehive.apache.org

1 user in discussion

Vgumashta: 1 post

People

Translate

site design / logo © 2021 Grokbase