FAQ
Repository: hive
Updated Branches:
   refs/heads/branch-2.0 48394fdbb -> 8c3280043


HIVE-13401: Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/8c328004
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/8c328004
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/8c328004

Branch: refs/heads/branch-2.0
Commit: 8c328004330f81058498d726b14eb818a3abd847
Parents: 48394fd
Author: ctang <ctang@cloudera.com>
Authored: Sat Apr 9 09:23:29 2016 -0400
Committer: ctang <ctang@cloudera.com>
Committed: Sat Apr 9 09:23:29 2016 -0400

----------------------------------------------------------------------
  .../org/apache/hive/minikdc/MiniHiveKdc.java | 52 +++++++++-
  .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java | 103 +++++++++++++++++++
  .../hive/minikdc/TestJdbcWithMiniKdc.java | 12 +--
  .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 15 ++-
  .../hive/service/auth/HiveAuthFactory.java | 15 +--
  .../service/cli/thrift/ThriftCLIService.java | 15 +--
  6 files changed, 181 insertions(+), 31 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
index dedbf35..6b47480 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
@@ -50,6 +50,7 @@ public class MiniHiveKdc {
    public static String HIVE_TEST_USER_1 = "user1";
    public static String HIVE_TEST_USER_2 = "user2";
    public static String HIVE_TEST_SUPER_USER = "superuser";
+ public static String AUTHENTICATION_TYPE = "KERBEROS";

    private final MiniKdc miniKdc;
    private final File workDir;
@@ -170,14 +171,57 @@ public class MiniHiveKdc {
     * @throws Exception
     */
    public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
+ return getMiniHS2WithKerb(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
+ }
+
+ /**
+ * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
+ * @param miniHiveKdc
+ * @param hiveConf
+ * @param authType
+ * @return new MiniHS2 instance
+ * @throws Exception
+ */
+ public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
+ String authType) throws Exception {
+ String hivePrincipal =
+ miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+ String hiveKeytab = miniHiveKdc.getKeyTabFile(
+ miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
+
+ return new MiniHS2.Builder().withConf(hiveConf).withMiniKdc(hivePrincipal, hiveKeytab).
+ withAuthenticationType(authType).build();
+ }
+
+ /**
+ * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
+ * @param miniHiveKdc
+ * @param hiveConf
+ * @return new MiniHS2 instance
+ * @throws Exception
+ */
+ public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
+ return getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
+ }
+
+ /**
+ * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc. It uses remote HMS
+ * and can support a different Sasl authType
+ * @param miniHiveKdc
+ * @param hiveConf
+ * @param authType
+ * @return new MiniHS2 instance
+ * @throws Exception
+ */
+ public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
+ String authType) throws Exception {
      String hivePrincipal =
          miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
      String hiveKeytab = miniHiveKdc.getKeyTabFile(
          miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));

- return new MiniHS2.Builder().withConf(hiveConf).
- withMiniKdc(hivePrincipal, hiveKeytab).build();
+ return new MiniHS2.Builder().withConf(hiveConf).withRemoteMetastore().
+ withMiniKdc(hivePrincipal, hiveKeytab).withAuthenticationType(authType).build();
    }
-
-
  }
+

http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
new file mode 100644
index 0000000..1c1beda
--- /dev/null
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
@@ -0,0 +1,103 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.minikdc;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.sql.DriverManager;
+import java.sql.SQLException;
+
+import javax.security.sasl.AuthenticationException;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.apache.hive.service.auth.PasswdAuthenticationProvider;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
+
+ public static class CustomAuthenticator implements PasswdAuthenticationProvider {
+ @Override
+ public void Authenticate(String user, String password) throws AuthenticationException {
+ if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
+ throw new AuthenticationException("Authentication failed");
+ }
+ }
+ }
+
+ @BeforeClass
+ public static void beforeTest() throws Exception {
+ Class.forName(MiniHS2.getJdbcDriverName());
+ confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
+ SessionHookTest.class.getName());
+ confOverlay.put(ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
+ CustomAuthenticator.class.getName());
+ HiveConf hiveConf = new HiveConf();
+ miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
+ miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, "CUSTOM");
+ miniHS2.start(confOverlay);
+ }
+
+ /***
+ * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
+ * @throws Exception
+ */
+ @Test
+ public void testNonKrbSASLAuth() throws Exception {
+ hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
+ verifyProperty(SESSION_USER_NAME, "nonkrbuser");
+ hs2Conn.close();
+ }
+
+ /***
+ * Negative test, verify that connection to secure HS2 fails if it is noSasl
+ * @throws Exception
+ */
+ @Test
+ public void testNoSaslConnectionNeg() throws Exception {
+ try {
+ String url = miniHS2.getBaseJdbcURL() + "default;auth=noSasl";
+ hs2Conn = DriverManager.getConnection(url);
+ fail("noSasl connection should fail");
+ } catch (SQLException e) {
+ // expected error
+ assertEquals("08S01", e.getSQLState().trim());
+ }
+ }
+
+ /***
+ * Negative test, verify that NonKrb connection to secure HS2 fails if it is
+ * user/pwd do not match.
+ * @throws Exception
+ */
+ @Test
+ public void testNoKrbConnectionNeg() throws Exception {
+ try {
+ String url = miniHS2.getBaseJdbcURL() + "default;user=wronguser;pwd=mypwd";
+ hs2Conn = DriverManager.getConnection(url);
+ fail("noSasl connection should fail");
+ } catch (SQLException e) {
+ // expected error
+ assertEquals("08S01", e.getSQLState().trim());
+ }
+ }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
index 3ef2ce3..71a08fb 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
@@ -57,10 +57,10 @@ public class TestJdbcWithMiniKdc {
      }
    }

- private static MiniHS2 miniHS2 = null;
- private static MiniHiveKdc miniHiveKdc = null;
- private static Map<String, String> confOverlay = new HashMap<String, String>();
- private Connection hs2Conn;
+ protected static MiniHS2 miniHS2 = null;
+ protected static MiniHiveKdc miniHiveKdc = null;
+ protected static Map<String, String> confOverlay = new HashMap<String, String>();
+ protected Connection hs2Conn;

    @BeforeClass
    public static void beforeTest() throws Exception {
@@ -241,7 +241,7 @@ public class TestJdbcWithMiniKdc {
     * @param expectedValue
     * @throws Exception
     */
- private void verifyProperty(String propertyName, String expectedValue) throws Exception {
+ protected void verifyProperty(String propertyName, String expectedValue) throws Exception {
      Statement stmt = hs2Conn .createStatement();
      ResultSet res = stmt.executeQuery("set " + propertyName);
      assertTrue(res.next());
@@ -251,7 +251,7 @@ public class TestJdbcWithMiniKdc {
    }

    // Store the given token in the UGI
- private void storeToken(String tokenStr, UserGroupInformation ugi)
+ protected void storeToken(String tokenStr, UserGroupInformation ugi)
        throws Exception {
      Utils.setTokenStr(ugi,
          tokenStr, HiveAuthFactory.HS2_CLIENT_TOKEN);

http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
index 488ba93..8b0f9d4 100644
--- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
+++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
@@ -79,6 +79,8 @@ public class MiniHS2 extends AbstractHiveService {
      private String serverKeytab;
      private boolean isHTTPTransMode = false;
      private boolean isMetastoreRemote;
+ private boolean usePortsFromConf = false;
+ private String authType = "KERBEROS";

      public Builder() {
      }
@@ -95,6 +97,11 @@ public class MiniHS2 extends AbstractHiveService {
        return this;
      }

+ public Builder withAuthenticationType(String authType) {
+ this.authType = authType;
+ return this;
+ }
+
      public Builder withRemoteMetastore() {
        this.isMetastoreRemote = true;
        return this;
@@ -125,7 +132,7 @@ public class MiniHS2 extends AbstractHiveService {
          hiveConf.setVar(ConfVars.HIVE_SERVER2_TRANSPORT_MODE, HS2_BINARY_MODE);
        }
        return new MiniHS2(hiveConf, miniClusterType, useMiniKdc, serverPrincipal, serverKeytab,
- isMetastoreRemote);
+ isMetastoreRemote, authType);
      }
    }

@@ -162,7 +169,7 @@ public class MiniHS2 extends AbstractHiveService {
    }

    private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useMiniKdc,
- String serverPrincipal, String serverKeytab, boolean isMetastoreRemote) throws Exception {
+ String serverPrincipal, String serverKeytab, boolean isMetastoreRemote, String authType) throws Exception {
      super(hiveConf, "localhost", MetaStoreUtils.findFreePort(), MetaStoreUtils.findFreePort());
      this.miniClusterType = miniClusterType;
      this.useMiniKdc = useMiniKdc;
@@ -200,7 +207,7 @@ public class MiniHS2 extends AbstractHiveService {
      if (useMiniKdc) {
        hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL, serverPrincipal);
        hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB, serverKeytab);
- hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "KERBEROS");
+ hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, authType);
      }
      String metaStoreURL = "jdbc:derby:" + baseDir.getAbsolutePath() + File.separator + "test_metastore-" +
          hs2Counter.incrementAndGet() + ";create=true";
@@ -236,7 +243,7 @@ public class MiniHS2 extends AbstractHiveService {
    }

    public MiniHS2(HiveConf hiveConf, MiniClusterType clusterType) throws Exception {
- this(hiveConf, clusterType, false, null, null, false);
+ this(hiveConf, clusterType, false, null, null, false, "KERBEROS");
    }

    public void start(Map<String, String> confOverlay) throws Exception {

http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index 0c7455d..062974d 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -102,7 +102,7 @@ public class HiveAuthFactory {
      transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
      authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);

- // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that·
+ // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that
      // hadoopAuth is not simple, it does not guarantee it is kerberos
      hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");

@@ -114,8 +114,7 @@ public class HiveAuthFactory {
          authTypeStr = AuthTypes.NONE.getAuthName();
        }
      }
- if (hadoopAuth.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())
- && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName())) {
+ if (isSASLWithKerberizedHadoop()) {
        saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(
            conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
            conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
@@ -149,8 +148,7 @@ public class HiveAuthFactory {
      TTransportFactory transportFactory;
      TSaslServerTransport.Factory serverTransportFactory;

- if (hadoopAuth.equalsIgnoreCase("kerberos") && !authTypeStr.equalsIgnoreCase(
- AuthTypes.NOSASL.getAuthName())) {
+ if (isSASLWithKerberizedHadoop()) {
        try {
          serverTransportFactory = saslServer.createSaslServerTransportFactory(
              getSaslProperties());
@@ -194,7 +192,7 @@ public class HiveAuthFactory {
     * @throws LoginException
     */
    public TProcessorFactory getAuthProcFactory(ThriftCLIService service) throws LoginException {
- if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) {
+ if (isSASLWithKerberizedHadoop()) {
        return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service);
      } else {
        return PlainSaslHelper.getPlainProcessorFactory(service);
@@ -213,6 +211,11 @@ public class HiveAuthFactory {
      }
    }

+ public boolean isSASLWithKerberizedHadoop() {
+ return "kerberos".equalsIgnoreCase(hadoopAuth)
+ && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName());
+ }
+
    // Perform kerberos login using the hadoop shim API if the configuration is available
    public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
      String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);

http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
index 8434965..e7651dd 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
@@ -342,11 +342,10 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
        clientIpAddress = SessionManager.getIpAddress();
      }
      else {
- // Kerberos
- if (isKerberosAuthMode()) {
+ if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
          clientIpAddress = hiveAuthFactory.getIpAddress();
        }
- // Except kerberos, NOSASL
+ // NOSASL
        else {
          clientIpAddress = TSetIpAddressProcessor.getUserIpAddress();
        }
@@ -367,11 +366,10 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
     */
    private String getUserName(TOpenSessionReq req) throws HiveSQLException {
      String userName = null;
- // Kerberos
- if (isKerberosAuthMode()) {
+ if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
        userName = hiveAuthFactory.getRemoteUser();
      }
- // Except kerberos, NOSASL
+ // NOSASL
      if (userName == null) {
        userName = TSetIpAddressProcessor.getUserName();
      }
@@ -755,9 +753,4 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
      LOG.debug("Verified proxy user: " + proxyUser);
      return proxyUser;
    }
-
- private boolean isKerberosAuthMode() {
- return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
- .equalsIgnoreCase(HiveAuthFactory.AuthTypes.KERBEROS.toString());
- }
  }

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 3 | next ›
Discussion Overview
groupcommits @
categorieshive, hadoop
postedApr 6, '16 at 12:58p
activeApr 9, '16 at 1:25p
posts3
users1
websitehive.apache.org

1 user in discussion

Ctang: 3 posts

People

Translate

site design / logo © 2021 Grokbase