FAQ
Repository: hive
Updated Branches:
   refs/heads/branch-2.0 c00fcc389 -> 9ca30cf14


HIVE-13401: Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/9ca30cf1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/9ca30cf1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/9ca30cf1

Branch: refs/heads/branch-2.0
Commit: 9ca30cf14044e0442434a9d664af196e02da59ad
Parents: c00fcc3
Author: ctang <ctang@cloudera.com>
Authored: Wed Apr 6 08:58:20 2016 -0400
Committer: ctang <ctang@cloudera.com>
Committed: Wed Apr 6 08:58:20 2016 -0400

----------------------------------------------------------------------
  .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java | 103 +++++++++++++++++++
  1 file changed, 103 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/9ca30cf1/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
new file mode 100644
index 0000000..1c1beda
--- /dev/null
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
@@ -0,0 +1,103 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.minikdc;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.sql.DriverManager;
+import java.sql.SQLException;
+
+import javax.security.sasl.AuthenticationException;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.apache.hive.service.auth.PasswdAuthenticationProvider;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
+
+ public static class CustomAuthenticator implements PasswdAuthenticationProvider {
+ @Override
+ public void Authenticate(String user, String password) throws AuthenticationException {
+ if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
+ throw new AuthenticationException("Authentication failed");
+ }
+ }
+ }
+
+ @BeforeClass
+ public static void beforeTest() throws Exception {
+ Class.forName(MiniHS2.getJdbcDriverName());
+ confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
+ SessionHookTest.class.getName());
+ confOverlay.put(ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
+ CustomAuthenticator.class.getName());
+ HiveConf hiveConf = new HiveConf();
+ miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
+ miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, "CUSTOM");
+ miniHS2.start(confOverlay);
+ }
+
+ /***
+ * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
+ * @throws Exception
+ */
+ @Test
+ public void testNonKrbSASLAuth() throws Exception {
+ hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
+ verifyProperty(SESSION_USER_NAME, "nonkrbuser");
+ hs2Conn.close();
+ }
+
+ /***
+ * Negative test, verify that connection to secure HS2 fails if it is noSasl
+ * @throws Exception
+ */
+ @Test
+ public void testNoSaslConnectionNeg() throws Exception {
+ try {
+ String url = miniHS2.getBaseJdbcURL() + "default;auth=noSasl";
+ hs2Conn = DriverManager.getConnection(url);
+ fail("noSasl connection should fail");
+ } catch (SQLException e) {
+ // expected error
+ assertEquals("08S01", e.getSQLState().trim());
+ }
+ }
+
+ /***
+ * Negative test, verify that NonKrb connection to secure HS2 fails if it is
+ * user/pwd do not match.
+ * @throws Exception
+ */
+ @Test
+ public void testNoKrbConnectionNeg() throws Exception {
+ try {
+ String url = miniHS2.getBaseJdbcURL() + "default;user=wronguser;pwd=mypwd";
+ hs2Conn = DriverManager.getConnection(url);
+ fail("noSasl connection should fail");
+ } catch (SQLException e) {
+ // expected error
+ assertEquals("08S01", e.getSQLState().trim());
+ }
+ }
+}
\ No newline at end of file

Search Discussions

  • Ctang at Apr 9, 2016 at 3:20 am
    Repository: hive
    Updated Branches:
       refs/heads/branch-2.0 418ac3169 -> b5b8937c1


    HIVE-13401: Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)


    Project: http://git-wip-us.apache.org/repos/asf/hive/repo
    Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/b5b8937c
    Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/b5b8937c
    Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/b5b8937c

    Branch: refs/heads/branch-2.0
    Commit: b5b8937c1a788ad96130d2af7ab9f1eb7afaed07
    Parents: 418ac31
    Author: ctang <ctang@cloudera.com>
    Authored: Fri Apr 8 23:14:17 2016 -0400
    Committer: ctang <ctang@cloudera.com>
    Committed: Fri Apr 8 23:14:17 2016 -0400

    ----------------------------------------------------------------------
      .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java | 103 +++++++++++++++++++
      1 file changed, 103 insertions(+)
    ----------------------------------------------------------------------


    http://git-wip-us.apache.org/repos/asf/hive/blob/b5b8937c/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    new file mode 100644
    index 0000000..1c1beda
    --- /dev/null
    +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    @@ -0,0 +1,103 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements. See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership. The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License. You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.hive.minikdc;
    +
    +import static org.junit.Assert.assertEquals;
    +import static org.junit.Assert.fail;
    +
    +import java.sql.DriverManager;
    +import java.sql.SQLException;
    +
    +import javax.security.sasl.AuthenticationException;
    +
    +import org.apache.hadoop.hive.conf.HiveConf;
    +import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
    +import org.apache.hive.jdbc.miniHS2.MiniHS2;
    +import org.apache.hive.service.auth.PasswdAuthenticationProvider;
    +import org.junit.BeforeClass;
    +import org.junit.Test;
    +
    +public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
    +
    + public static class CustomAuthenticator implements PasswdAuthenticationProvider {
    + @Override
    + public void Authenticate(String user, String password) throws AuthenticationException {
    + if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
    + throw new AuthenticationException("Authentication failed");
    + }
    + }
    + }
    +
    + @BeforeClass
    + public static void beforeTest() throws Exception {
    + Class.forName(MiniHS2.getJdbcDriverName());
    + confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
    + SessionHookTest.class.getName());
    + confOverlay.put(ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
    + CustomAuthenticator.class.getName());
    + HiveConf hiveConf = new HiveConf();
    + miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
    + miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, "CUSTOM");
    + miniHS2.start(confOverlay);
    + }
    +
    + /***
    + * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
    + * @throws Exception
    + */
    + @Test
    + public void testNonKrbSASLAuth() throws Exception {
    + hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
    + verifyProperty(SESSION_USER_NAME, "nonkrbuser");
    + hs2Conn.close();
    + }
    +
    + /***
    + * Negative test, verify that connection to secure HS2 fails if it is noSasl
    + * @throws Exception
    + */
    + @Test
    + public void testNoSaslConnectionNeg() throws Exception {
    + try {
    + String url = miniHS2.getBaseJdbcURL() + "default;auth=noSasl";
    + hs2Conn = DriverManager.getConnection(url);
    + fail("noSasl connection should fail");
    + } catch (SQLException e) {
    + // expected error
    + assertEquals("08S01", e.getSQLState().trim());
    + }
    + }
    +
    + /***
    + * Negative test, verify that NonKrb connection to secure HS2 fails if it is
    + * user/pwd do not match.
    + * @throws Exception
    + */
    + @Test
    + public void testNoKrbConnectionNeg() throws Exception {
    + try {
    + String url = miniHS2.getBaseJdbcURL() + "default;user=wronguser;pwd=mypwd";
    + hs2Conn = DriverManager.getConnection(url);
    + fail("noSasl connection should fail");
    + } catch (SQLException e) {
    + // expected error
    + assertEquals("08S01", e.getSQLState().trim());
    + }
    + }
    +}
    \ No newline at end of file
  • Ctang at Apr 9, 2016 at 1:25 pm
    Repository: hive
    Updated Branches:
       refs/heads/branch-2.0 48394fdbb -> 8c3280043


    HIVE-13401: Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)


    Project: http://git-wip-us.apache.org/repos/asf/hive/repo
    Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/8c328004
    Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/8c328004
    Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/8c328004

    Branch: refs/heads/branch-2.0
    Commit: 8c328004330f81058498d726b14eb818a3abd847
    Parents: 48394fd
    Author: ctang <ctang@cloudera.com>
    Authored: Sat Apr 9 09:23:29 2016 -0400
    Committer: ctang <ctang@cloudera.com>
    Committed: Sat Apr 9 09:23:29 2016 -0400

    ----------------------------------------------------------------------
      .../org/apache/hive/minikdc/MiniHiveKdc.java | 52 +++++++++-
      .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java | 103 +++++++++++++++++++
      .../hive/minikdc/TestJdbcWithMiniKdc.java | 12 +--
      .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 15 ++-
      .../hive/service/auth/HiveAuthFactory.java | 15 +--
      .../service/cli/thrift/ThriftCLIService.java | 15 +--
      6 files changed, 181 insertions(+), 31 deletions(-)
    ----------------------------------------------------------------------


    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
    index dedbf35..6b47480 100644
    --- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
    +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
    @@ -50,6 +50,7 @@ public class MiniHiveKdc {
        public static String HIVE_TEST_USER_1 = "user1";
        public static String HIVE_TEST_USER_2 = "user2";
        public static String HIVE_TEST_SUPER_USER = "superuser";
    + public static String AUTHENTICATION_TYPE = "KERBEROS";

        private final MiniKdc miniKdc;
        private final File workDir;
    @@ -170,14 +171,57 @@ public class MiniHiveKdc {
         * @throws Exception
         */
        public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
    + return getMiniHS2WithKerb(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
    + }
    +
    + /**
    + * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
    + * @param miniHiveKdc
    + * @param hiveConf
    + * @param authType
    + * @return new MiniHS2 instance
    + * @throws Exception
    + */
    + public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
    + String authType) throws Exception {
    + String hivePrincipal =
    + miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
    + String hiveKeytab = miniHiveKdc.getKeyTabFile(
    + miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
    +
    + return new MiniHS2.Builder().withConf(hiveConf).withMiniKdc(hivePrincipal, hiveKeytab).
    + withAuthenticationType(authType).build();
    + }
    +
    + /**
    + * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc
    + * @param miniHiveKdc
    + * @param hiveConf
    + * @return new MiniHS2 instance
    + * @throws Exception
    + */
    + public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf) throws Exception {
    + return getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, AUTHENTICATION_TYPE);
    + }
    +
    + /**
    + * Create a MiniHS2 with the hive service principal and keytab in MiniHiveKdc. It uses remote HMS
    + * and can support a different Sasl authType
    + * @param miniHiveKdc
    + * @param hiveConf
    + * @param authType
    + * @return new MiniHS2 instance
    + * @throws Exception
    + */
    + public static MiniHS2 getMiniHS2WithKerbWithRemoteHMS(MiniHiveKdc miniHiveKdc, HiveConf hiveConf,
    + String authType) throws Exception {
          String hivePrincipal =
              miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
          String hiveKeytab = miniHiveKdc.getKeyTabFile(
              miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));

    - return new MiniHS2.Builder().withConf(hiveConf).
    - withMiniKdc(hivePrincipal, hiveKeytab).build();
    + return new MiniHS2.Builder().withConf(hiveConf).withRemoteMetastore().
    + withMiniKdc(hivePrincipal, hiveKeytab).withAuthenticationType(authType).build();
        }
    -
    -
      }
    +

    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    new file mode 100644
    index 0000000..1c1beda
    --- /dev/null
    +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
    @@ -0,0 +1,103 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements. See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership. The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License. You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.hive.minikdc;
    +
    +import static org.junit.Assert.assertEquals;
    +import static org.junit.Assert.fail;
    +
    +import java.sql.DriverManager;
    +import java.sql.SQLException;
    +
    +import javax.security.sasl.AuthenticationException;
    +
    +import org.apache.hadoop.hive.conf.HiveConf;
    +import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
    +import org.apache.hive.jdbc.miniHS2.MiniHS2;
    +import org.apache.hive.service.auth.PasswdAuthenticationProvider;
    +import org.junit.BeforeClass;
    +import org.junit.Test;
    +
    +public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
    +
    + public static class CustomAuthenticator implements PasswdAuthenticationProvider {
    + @Override
    + public void Authenticate(String user, String password) throws AuthenticationException {
    + if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
    + throw new AuthenticationException("Authentication failed");
    + }
    + }
    + }
    +
    + @BeforeClass
    + public static void beforeTest() throws Exception {
    + Class.forName(MiniHS2.getJdbcDriverName());
    + confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
    + SessionHookTest.class.getName());
    + confOverlay.put(ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
    + CustomAuthenticator.class.getName());
    + HiveConf hiveConf = new HiveConf();
    + miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
    + miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, "CUSTOM");
    + miniHS2.start(confOverlay);
    + }
    +
    + /***
    + * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
    + * @throws Exception
    + */
    + @Test
    + public void testNonKrbSASLAuth() throws Exception {
    + hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
    + verifyProperty(SESSION_USER_NAME, "nonkrbuser");
    + hs2Conn.close();
    + }
    +
    + /***
    + * Negative test, verify that connection to secure HS2 fails if it is noSasl
    + * @throws Exception
    + */
    + @Test
    + public void testNoSaslConnectionNeg() throws Exception {
    + try {
    + String url = miniHS2.getBaseJdbcURL() + "default;auth=noSasl";
    + hs2Conn = DriverManager.getConnection(url);
    + fail("noSasl connection should fail");
    + } catch (SQLException e) {
    + // expected error
    + assertEquals("08S01", e.getSQLState().trim());
    + }
    + }
    +
    + /***
    + * Negative test, verify that NonKrb connection to secure HS2 fails if it is
    + * user/pwd do not match.
    + * @throws Exception
    + */
    + @Test
    + public void testNoKrbConnectionNeg() throws Exception {
    + try {
    + String url = miniHS2.getBaseJdbcURL() + "default;user=wronguser;pwd=mypwd";
    + hs2Conn = DriverManager.getConnection(url);
    + fail("noSasl connection should fail");
    + } catch (SQLException e) {
    + // expected error
    + assertEquals("08S01", e.getSQLState().trim());
    + }
    + }
    +}
    \ No newline at end of file

    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
    index 3ef2ce3..71a08fb 100644
    --- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
    +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
    @@ -57,10 +57,10 @@ public class TestJdbcWithMiniKdc {
          }
        }

    - private static MiniHS2 miniHS2 = null;
    - private static MiniHiveKdc miniHiveKdc = null;
    - private static Map<String, String> confOverlay = new HashMap<String, String>();
    - private Connection hs2Conn;
    + protected static MiniHS2 miniHS2 = null;
    + protected static MiniHiveKdc miniHiveKdc = null;
    + protected static Map<String, String> confOverlay = new HashMap<String, String>();
    + protected Connection hs2Conn;

        @BeforeClass
        public static void beforeTest() throws Exception {
    @@ -241,7 +241,7 @@ public class TestJdbcWithMiniKdc {
         * @param expectedValue
         * @throws Exception
         */
    - private void verifyProperty(String propertyName, String expectedValue) throws Exception {
    + protected void verifyProperty(String propertyName, String expectedValue) throws Exception {
          Statement stmt = hs2Conn .createStatement();
          ResultSet res = stmt.executeQuery("set " + propertyName);
          assertTrue(res.next());
    @@ -251,7 +251,7 @@ public class TestJdbcWithMiniKdc {
        }

        // Store the given token in the UGI
    - private void storeToken(String tokenStr, UserGroupInformation ugi)
    + protected void storeToken(String tokenStr, UserGroupInformation ugi)
            throws Exception {
          Utils.setTokenStr(ugi,
              tokenStr, HiveAuthFactory.HS2_CLIENT_TOKEN);

    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    index 488ba93..8b0f9d4 100644
    --- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    +++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    @@ -79,6 +79,8 @@ public class MiniHS2 extends AbstractHiveService {
          private String serverKeytab;
          private boolean isHTTPTransMode = false;
          private boolean isMetastoreRemote;
    + private boolean usePortsFromConf = false;
    + private String authType = "KERBEROS";

          public Builder() {
          }
    @@ -95,6 +97,11 @@ public class MiniHS2 extends AbstractHiveService {
            return this;
          }

    + public Builder withAuthenticationType(String authType) {
    + this.authType = authType;
    + return this;
    + }
    +
          public Builder withRemoteMetastore() {
            this.isMetastoreRemote = true;
            return this;
    @@ -125,7 +132,7 @@ public class MiniHS2 extends AbstractHiveService {
              hiveConf.setVar(ConfVars.HIVE_SERVER2_TRANSPORT_MODE, HS2_BINARY_MODE);
            }
            return new MiniHS2(hiveConf, miniClusterType, useMiniKdc, serverPrincipal, serverKeytab,
    - isMetastoreRemote);
    + isMetastoreRemote, authType);
          }
        }

    @@ -162,7 +169,7 @@ public class MiniHS2 extends AbstractHiveService {
        }

        private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useMiniKdc,
    - String serverPrincipal, String serverKeytab, boolean isMetastoreRemote) throws Exception {
    + String serverPrincipal, String serverKeytab, boolean isMetastoreRemote, String authType) throws Exception {
          super(hiveConf, "localhost", MetaStoreUtils.findFreePort(), MetaStoreUtils.findFreePort());
          this.miniClusterType = miniClusterType;
          this.useMiniKdc = useMiniKdc;
    @@ -200,7 +207,7 @@ public class MiniHS2 extends AbstractHiveService {
          if (useMiniKdc) {
            hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL, serverPrincipal);
            hiveConf.setVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB, serverKeytab);
    - hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "KERBEROS");
    + hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, authType);
          }
          String metaStoreURL = "jdbc:derby:" + baseDir.getAbsolutePath() + File.separator + "test_metastore-" +
              hs2Counter.incrementAndGet() + ";create=true";
    @@ -236,7 +243,7 @@ public class MiniHS2 extends AbstractHiveService {
        }

        public MiniHS2(HiveConf hiveConf, MiniClusterType clusterType) throws Exception {
    - this(hiveConf, clusterType, false, null, null, false);
    + this(hiveConf, clusterType, false, null, null, false, "KERBEROS");
        }

        public void start(Map<String, String> confOverlay) throws Exception {

    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    ----------------------------------------------------------------------
    diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    index 0c7455d..062974d 100644
    --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    @@ -102,7 +102,7 @@ public class HiveAuthFactory {
          transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
          authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);

    - // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that·
    + // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that
          // hadoopAuth is not simple, it does not guarantee it is kerberos
          hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");

    @@ -114,8 +114,7 @@ public class HiveAuthFactory {
              authTypeStr = AuthTypes.NONE.getAuthName();
            }
          }
    - if (hadoopAuth.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())
    - && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName())) {
    + if (isSASLWithKerberizedHadoop()) {
            saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(
                conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
                conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
    @@ -149,8 +148,7 @@ public class HiveAuthFactory {
          TTransportFactory transportFactory;
          TSaslServerTransport.Factory serverTransportFactory;

    - if (hadoopAuth.equalsIgnoreCase("kerberos") && !authTypeStr.equalsIgnoreCase(
    - AuthTypes.NOSASL.getAuthName())) {
    + if (isSASLWithKerberizedHadoop()) {
            try {
              serverTransportFactory = saslServer.createSaslServerTransportFactory(
                  getSaslProperties());
    @@ -194,7 +192,7 @@ public class HiveAuthFactory {
         * @throws LoginException
         */
        public TProcessorFactory getAuthProcFactory(ThriftCLIService service) throws LoginException {
    - if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) {
    + if (isSASLWithKerberizedHadoop()) {
            return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service);
          } else {
            return PlainSaslHelper.getPlainProcessorFactory(service);
    @@ -213,6 +211,11 @@ public class HiveAuthFactory {
          }
        }

    + public boolean isSASLWithKerberizedHadoop() {
    + return "kerberos".equalsIgnoreCase(hadoopAuth)
    + && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName());
    + }
    +
        // Perform kerberos login using the hadoop shim API if the configuration is available
        public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
          String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);

    http://git-wip-us.apache.org/repos/asf/hive/blob/8c328004/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
    ----------------------------------------------------------------------
    diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
    index 8434965..e7651dd 100644
    --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
    +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
    @@ -342,11 +342,10 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
            clientIpAddress = SessionManager.getIpAddress();
          }
          else {
    - // Kerberos
    - if (isKerberosAuthMode()) {
    + if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
              clientIpAddress = hiveAuthFactory.getIpAddress();
            }
    - // Except kerberos, NOSASL
    + // NOSASL
            else {
              clientIpAddress = TSetIpAddressProcessor.getUserIpAddress();
            }
    @@ -367,11 +366,10 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
         */
        private String getUserName(TOpenSessionReq req) throws HiveSQLException {
          String userName = null;
    - // Kerberos
    - if (isKerberosAuthMode()) {
    + if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop()) {
            userName = hiveAuthFactory.getRemoteUser();
          }
    - // Except kerberos, NOSASL
    + // NOSASL
          if (userName == null) {
            userName = TSetIpAddressProcessor.getUserName();
          }
    @@ -755,9 +753,4 @@ public abstract class ThriftCLIService extends AbstractService implements TCLISe
          LOG.debug("Verified proxy user: " + proxyUser);
          return proxyUser;
        }
    -
    - private boolean isKerberosAuthMode() {
    - return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)
    - .equalsIgnoreCase(HiveAuthFactory.AuthTypes.KERBEROS.toString());
    - }
      }

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcommits @
categorieshive, hadoop
postedApr 6, '16 at 12:58p
activeApr 9, '16 at 1:25p
posts3
users1
websitehive.apache.org

1 user in discussion

Ctang: 3 posts

People

Translate

site design / logo © 2021 Grokbase