FAQ
Repository: hive
Updated Branches:
   refs/heads/master 664c5d561 -> 1afa8e7e1


HIVE-11866: Add framework to enable testing using LDAPServer using LDAP protocol (Naveen Gangam, via Chaoyu Tang, reviewed by Xuefu Zhang)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/1afa8e7e
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/1afa8e7e
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/1afa8e7e

Branch: refs/heads/master
Commit: 1afa8e7e1d0a39891445c3c2c03f44b3c26c8390
Parents: 664c5d5
Author: ctang <ctang@cloudera.com>
Authored: Thu Feb 11 13:36:40 2016 -0500
Committer: ctang <ctang@cloudera.com>
Committed: Thu Feb 11 13:36:40 2016 -0500

----------------------------------------------------------------------
  pom.xml | 2 +
  service/pom.xml | 22 +-
  .../auth/LdapAuthenticationProviderImpl.java | 32 +-
  .../auth/TestLdapAtnProviderWithMiniDS.java | 311 +++++++++++++++++++
  4 files changed, 352 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/1afa8e7e/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2bda92f..15e3522 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,6 +107,8 @@
      <activemq.version>5.5.0</activemq.version>
      <ant.version>1.9.1</ant.version>
      <antlr.version>3.4</antlr.version>
+ <apache-directory-server.version>1.5.6</apache-directory-server.version>
+ <apache-directory-clientapi.version>0.1</apache-directory-clientapi.version>
      <avro.version>1.7.7</avro.version>
      <bonecp.version>0.8.0.RELEASE</bonecp.version>
      <calcite.version>1.6.0</calcite.version>

http://git-wip-us.apache.org/repos/asf/hive/blob/1afa8e7e/service/pom.xml
----------------------------------------------------------------------
diff --git a/service/pom.xml b/service/pom.xml
index e3f61d0..41a4ef1 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -156,6 +156,27 @@
        <version>${junit.version}</version>
        <scope>test</scope>
      </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.client.ldap</groupId>
+ <artifactId>ldap-client-api</artifactId>
+ <version>${apache-directory-clientapi.version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-server-integ</artifactId>
+ <version>${apache-directory-server.version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-test-framework</artifactId>
+ <version>${apache-directory-server.version}</version>
+ <scope>test</scope>
+ </dependency>
    </dependencies>

    <build>
@@ -279,5 +300,4 @@
        </plugin>
      </plugins>
    </build>
-
  </project>

http://git-wip-us.apache.org/repos/asf/hive/blob/1afa8e7e/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index bddfe50..1d4aba2 100644
--- a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -43,29 +43,33 @@ public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvi
    private static final Logger LOG = LoggerFactory.getLogger(LdapAuthenticationProviderImpl.class);
    private static final String DN_ATTR = "distinguishedName";

- private final String ldapURL;
- private final String baseDN;
- private final String ldapDomain;
+ private String ldapURL;
+ private String baseDN;
+ private String ldapDomain;
    private static List<String> groupBases;
    private static List<String> userBases;
    private static List<String> userFilter;
    private static List<String> groupFilter;
- private final String customQuery;
+ private String customQuery;

    LdapAuthenticationProviderImpl() {
      HiveConf conf = new HiveConf();
- ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
- baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
- ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
- customQuery = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY);
+ init(conf);
+ }
+
+ protected void init(HiveConf conf) {
+ ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
+ baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
+ ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
+ customQuery = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY);

      if (customQuery == null) {
- groupBases = new ArrayList<String>();
- userBases = new ArrayList<String>();
- String groupDNPatterns = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN);
- String groupFilterVal = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER);
- String userDNPatterns = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
- String userFilterVal = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER);
+ groupBases = new ArrayList<String>();
+ userBases = new ArrayList<String>();
+ String groupDNPatterns = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN);
+ String groupFilterVal = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER);
+ String userDNPatterns = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
+ String userFilterVal = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER);

        // parse COLON delimited root DNs for users/groups that may or may not be under BaseDN.
        // Expect the root DNs be fully qualified including the baseDN

http://git-wip-us.apache.org/repos/asf/hive/blob/1afa8e7e/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
----------------------------------------------------------------------
diff --git a/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
new file mode 100644
index 0000000..934b207
--- /dev/null
+++ b/service/src/test/org/apache/hive/service/auth/TestLdapAtnProviderWithMiniDS.java
@@ -0,0 +1,311 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.hive.service.auth;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Iterator;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.ldap.LdapContext;
+import javax.security.sasl.AuthenticationException;
+
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredContext;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.ContextEntry;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreateIndex;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.LdapServer;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hive.service.auth.LdapAuthenticationProviderImpl;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * TestSuite to test Hive's LDAP Authentication provider with an
+ * in-process LDAP Server (Apache Directory Server instance).
+ *
+ */
+@RunWith(FrameworkRunner.class)
+@CreateLdapServer(transports =
+ { @CreateTransport(protocol = "LDAP"), @CreateTransport(protocol = "LDAPS") })
+// Define the DirectoryService
+@CreateDS(
+partitions = {
+ @CreatePartition(
+ name = "example",
+ suffix = "dc=example,dc=com",
+ contextEntry = @ContextEntry(
+ entryLdif = "dn: dc=example,dc=com\n" +
+ "dc: example\n" +
+ "objectClass: top\n" +
+ "objectClass: domain\n\n"
+ ),
+ indexes = {
+ @CreateIndex( attribute = "objectClass" ),
+ @CreateIndex( attribute = "dc" ),
+ @CreateIndex( attribute = "ou"),
+ @CreateIndex( attribute = "distinguishedName")
+ } )
+ }
+)
+
+@ApplyLdifs(
+ {
+ "dn: ou=People,dc=example,dc=com",
+ "distinguishedName: ou=People,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: organizationalUnit",
+ "objectClass: ExtensibleObject",
+ "ou: People",
+ "description: Contains entries which describe persons (seamen)",
+
+ "dn: ou=Groups,dc=example,dc=com",
+ "distinguishedName: ou=Groups,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: organizationalUnit",
+ "objectClass: ExtensibleObject",
+ "ou: Groups",
+ "description: Contains entries which describe groups (crews, for instance)",
+
+ "dn: uid=group1,ou=Groups,dc=example,dc=com",
+ "distinguishedName: uid=group1,ou=Groups,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: organizationalUnit",
+ "objectClass: ExtensibleObject",
+ "cn: group1",
+ "ou: Groups",
+ "sn: group1",
+
+ "dn: uid=group2,ou=Groups,dc=example,dc=com",
+ "distinguishedName: uid=group2,ou=Groups,dc=example,dc=com",
+ "objectClass: top",
+ "objectClass: organizationalUnit",
+ "objectClass: ExtensibleObject",
+ "givenName: Group2",
+ "ou: Groups",
+ "cn: group1",
+ "sn: group1",
+
+ "dn: uid=user1,ou=People,dc=example,dc=com",
+ "distinguishedName: uid=user1,ou=People,dc=example,dc=com",
+ "objectClass: inetOrgPerson",
+ "objectClass: person",
+ "objectClass: top",
+ "objectClass: ExtensibleObject",
+ "givenName: Test1",
+ "cn: Test User1",
+ "sn: user1",
+ "uid: user1",
+ "userPassword: user1",
+
+ "dn: uid=user2,ou=People,dc=example,dc=com",
+ "distinguishedName: uid=user2,ou=People,dc=example,dc=com",
+ "objectClass: inetOrgPerson",
+ "objectClass: person",
+ "objectClass: top",
+ "objectClass: ExtensibleObject",
+ "givenName: Test2",
+ "cn: Test User2",
+ "sn: user2",
+ "uid: user2",
+ "userPassword: user2"
+})
+
+public class TestLdapAtnProviderWithMiniDS extends AbstractLdapTestUnit {
+
+ private static String ldapUrl;
+ private static LdapServer server;
+ private static HiveConf hiveConf;
+ private static byte[] hiveConfBackup;
+ private static LdapContext ctx;
+ private static LdapAuthenticationProviderImpl ldapProvider;
+
+ @Before
+ public void setup() throws Exception {
+ ctx = ( LdapContext ) getWiredContext( ldapServer, null ).lookup( "dc=example,dc=com" );
+ }
+
+ @After
+ public void shutdown() throws Exception {
+ }
+
+ @BeforeClass
+ public static void init() throws Exception {
+ hiveConf = new HiveConf();
+
+ ldapProvider = new LdapAuthenticationProviderImpl();
+ ldapProvider.init(hiveConf);
+ }
+
+ @AfterClass
+ public static void tearDown() throws Exception {
+ if (ldapServer.isStarted()) {
+ ldapServer.stop();
+ }
+ }
+
+ private static void initLdapAtn(Map<String, String> hiveProperties)
+ throws Exception {
+ hiveConf = new HiveConf();
+
+ int port;
+ if (ldapUrl == null) {
+ port = ldapServer.getPort();
+ ldapUrl = new String("ldap://localhost:" + port);
+ }
+
+ hiveConf.set("hive.root.logger", "DEBUG,console");
+ hiveConf.set("hive.server2.authentication.ldap.url", ldapUrl);
+
+ if (hiveProperties != null) {
+ String key;
+ String value;
+ Iterator<String> iter = hiveProperties.keySet().iterator();
+ while (iter.hasNext()) {
+ key = iter.next();
+ value = hiveProperties.get(key);
+ hiveConf.set(key, value);
+ }
+ }
+
+ ldapProvider.init(hiveConf);
+ }
+
+ @Test
+ public void testLDAPServer() throws Exception {
+ initLdapAtn(null);
+ assertTrue(ldapServer.isStarted());
+ assertTrue(ldapServer.getPort() > 0);
+ }
+
+ @Test
+ public void testUserBindPositiveWithShortname() throws Exception {
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "uid=%s,ou=People,dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", "uid=%s,ou=Groups,dc=example,dc=com");
+ initLdapAtn(ldapProperties);
+ String user;
+
+ user = "user1";
+ try {
+ ldapProvider.Authenticate(user, "user1");
+ assertTrue("testUserBindPositive: Authentication succeeded for user1 as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testUserBindPositive: Authentication failed for user:" + user + " with password user1, expected to succeed");
+ }
+
+ user = "user2";
+ try {
+ ldapProvider.Authenticate(user, "user2");
+ assertTrue("testUserBindPositive: Authentication succeeded for user2 as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testUserBindPositive: Authentication failed for user:" + user + " with password user2, expected to succeed");
+ }
+ }
+
+ @Test
+ public void testUserBindPositiveWithShortnameOldConfig() throws Exception {
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "ou=People,dc=example,dc=com");
+ initLdapAtn(ldapProperties);
+ String user;
+
+ user = "user1";
+ try {
+ ldapProvider.Authenticate(user, "user1");
+ assertTrue("testUserBindPositive: Authentication succeeded for user1 as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testUserBindPositive: Authentication failed for user:" + user + " with password user1, expected to succeed");
+ }
+
+ user = "user2";
+ try {
+ ldapProvider.Authenticate(user, "user2");
+ assertTrue("testUserBindPositive: Authentication succeeded for user2 as expected", true);
+ } catch (AuthenticationException e) {
+ Assert.fail("testUserBindPositive: Authentication failed for user:" + user + " with password user2, expected to succeed");
+ }
+ }
+
+ @Test
+ public void testUserBindNegativeWithShortname() throws Exception {
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.userDNPattern", "uid=%s,ou=People,dc=example,dc=com");
+ ldapProperties.put("hive.server2.authentication.ldap.groupDNPattern", "uid=%s,ou=Groups,dc=example,dc=com");
+ initLdapAtn(ldapProperties);
+
+ try {
+ ldapProvider.Authenticate("user1", "user2");
+ Assert.fail("testUserBindNegative: Authentication succeeded for user1 with password user2, expected to fail");
+ } catch (AuthenticationException e) {
+ assertTrue("testUserBindNegative: Authentication failed for user1 as expected", true);
+ }
+
+ try {
+ ldapProvider.Authenticate("user2", "user");
+ Assert.fail("testUserBindNegative: Authentication failed for user2 with password user, expected to fail");
+ } catch (AuthenticationException e) {
+ assertTrue("testUserBindNegative: Authentication failed for user2 as expected", true);
+ }
+ }
+
+ @Test
+ public void testUserBindNegativeWithShortnameOldConfig() throws Exception {
+ Map<String, String> ldapProperties = new HashMap<String, String>();
+ ldapProperties.put("hive.server2.authentication.ldap.baseDN", "ou=People,dc=example,dc=com");
+ initLdapAtn(ldapProperties);
+
+ try {
+ ldapProvider.Authenticate("user1", "user2");
+ Assert.fail("testUserBindNegative: Authentication succeeded for user1 with password user2, expected to fail");
+ } catch (AuthenticationException e) {
+ assertTrue("testUserBindNegative: Authentication failed for user1 as expected", true);
+ }
+
+ try {
+ ldapProvider.Authenticate("user2", "user");
+ Assert.fail("testUserBindNegative: Authentication failed for user2 with password user, expected to fail");
+ } catch (AuthenticationException e) {
+ assertTrue("testUserBindNegative: Authentication failed for user2 as expected", true);
+ }
+ }
+}

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 2 | next ›
Discussion Overview
groupcommits @
categorieshive, hadoop
postedFeb 11, '16 at 6:36p
activeFeb 11, '16 at 6:45p
posts2
users1
websitehive.apache.org

1 user in discussion

Ctang: 2 posts

People

Translate

site design / logo © 2021 Grokbase