FAQ
Repository: hive
Updated Branches:
   refs/heads/master f9d1b6ab7 -> ab095f0bc


HIVE-13008 - WebHcat DDL commands in secure mode NPE when default FileSystem doesn't support delegation tokens (Eugene Koifman, reviewed by Chris Nauroth, Thejas Nair)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/ab095f0b
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/ab095f0b
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/ab095f0b

Branch: refs/heads/master
Commit: ab095f0bc24447ab73843a1ae23a32f7b6c4bd1a
Parents: f9d1b6a
Author: Eugene Koifman <ekoifman@hortonworks.com>
Authored: Thu Mar 24 18:03:32 2016 -0700
Committer: Eugene Koifman <ekoifman@hortonworks.com>
Committed: Thu Mar 24 18:03:32 2016 -0700

----------------------------------------------------------------------
  .../hcatalog/templeton/SecureProxySupport.java | 46 ++++++++++++++------
  1 file changed, 33 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/ab095f0b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
----------------------------------------------------------------------
diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
index 2ac62c0..13f3c9b 100644
--- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
+++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
@@ -20,10 +20,14 @@ package org.apache.hive.hcatalog.templeton;

  import java.io.File;
  import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
  import java.security.PrivilegedExceptionAction;
+import java.util.Collection;
  import java.util.List;
  import java.util.Map;

+import org.apache.commons.lang3.ArrayUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  import org.apache.hadoop.conf.Configuration;
@@ -79,7 +83,7 @@ public class SecureProxySupport {
        this.user = user;
        File t = File.createTempFile("templeton", null);
        tokenPath = new Path(t.toURI());
- Token fsToken = getFSDelegationToken(user, conf);
+ Token[] fsToken = getFSDelegationToken(user, conf);
        String hcatTokenStr;
        try {
          hcatTokenStr = buildHcatDelegationToken(user);
@@ -130,11 +134,11 @@ public class SecureProxySupport {
      }
    }

- class TokenWrapper {
- Token<?> token;
+ private static class TokenWrapper {
+ Token<?>[] tokens = new Token<?>[0];
    }

- private Token<?> getFSDelegationToken(String user,
+ private Token<?>[] getFSDelegationToken(String user,
                        final Configuration conf)
      throws IOException, InterruptedException {
      LOG.info("user: " + user + " loginUser: " + UserGroupInformation.getLoginUser().getUserName());
@@ -142,18 +146,32 @@ public class SecureProxySupport {

      final TokenWrapper twrapper = new TokenWrapper();
      ugi.doAs(new PrivilegedExceptionAction<Object>() {
- public Object run() throws IOException {
- FileSystem fs = FileSystem.get(conf);
- //todo: according to JavaDoc this seems like private API: addDelegationToken should be used
- twrapper.token = fs.getDelegationToken(ugi.getShortUserName());
+ public Object run() throws IOException, URISyntaxException {
+ Credentials creds = new Credentials();
+ //get Tokens for default FS. Not all FSs support delegation tokens, e.g. WASB
+ collectTokens(FileSystem.get(conf), twrapper, creds, ugi.getShortUserName());
+ //get tokens for all other known FSs since Hive tables may result in different ones
+ //passing "creds" prevents duplicate tokens from being added
+ Collection<String> URIs = conf.getStringCollection("mapreduce.job.hdfs-servers");
+ for(String uri : URIs) {
+ LOG.debug("Getting tokens for " + uri);
+ collectTokens(FileSystem.get(new URI(uri), conf), twrapper, creds, ugi.getShortUserName());
+ }
          return null;
        }
      });
- return twrapper.token;
-
+ return twrapper.tokens;
    }
-
- private void writeProxyDelegationTokens(final Token<?> fsToken,
+ private static void collectTokens(FileSystem fs, TokenWrapper twrapper, Credentials creds, String userName) throws IOException {
+ Token[] tokens = fs.addDelegationTokens(userName, creds);
+ if(tokens != null && tokens.length > 0) {
+ twrapper.tokens = ArrayUtils.addAll(twrapper.tokens, tokens);
+ }
+ }
+ /**
+ * @param fsTokens not null
+ */
+ private void writeProxyDelegationTokens(final Token<?> fsTokens[],
                        final Token<?> msToken,
                        final Configuration conf,
                        String user,
@@ -168,7 +186,9 @@ public class SecureProxySupport {
      ugi.doAs(new PrivilegedExceptionAction<Object>() {
        public Object run() throws IOException {
          Credentials cred = new Credentials();
- cred.addToken(fsToken.getService(), fsToken);
+ for(Token<?> fsToken : fsTokens) {
+ cred.addToken(fsToken.getService(), fsToken);
+ }
          cred.addToken(msToken.getService(), msToken);
          cred.writeTokenStorageFile(tokenPath, conf);
          return null;

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 1 | next ›
Discussion Overview
groupcommits @
categorieshive, hadoop
postedMar 25, '16 at 1:03a
activeMar 25, '16 at 1:03a
posts1
users1
websitehive.apache.org

1 user in discussion

Ekoifman: 1 post

People

Translate

site design / logo © 2021 Grokbase