Grokbase Groups Hive commits May 2016
FAQ
Repository: hive
Updated Branches:
   refs/heads/master 4b5f0d963 -> 3b2ea2480


HIVE-13390: HiveServer2: Add more test to ZK service discovery using MiniHS2 (Vaibhav Gumashta reviewed by Sushanth Sowmyan)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/3b2ea248
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/3b2ea248
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/3b2ea248

Branch: refs/heads/master
Commit: 3b2ea248078bdf3a8372958cf51a989dc3883bcc
Parents: 4b5f0d9
Author: Vaibhav Gumashta <vgumashta@hortonworks.com>
Authored: Mon May 2 13:35:40 2016 -0700
Committer: Vaibhav Gumashta <vgumashta@hortonworks.com>
Committed: Mon May 2 13:35:40 2016 -0700

----------------------------------------------------------------------
  data/files/keystore.jks | Bin 2248 -> 2206 bytes
  data/files/keystore_exampledotcom.jks | Bin 0 -> 2222 bytes
  data/files/truststore.jks | Bin 958 -> 1816 bytes
  .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 35 ++++---
  .../test/java/org/apache/hive/jdbc/TestSSL.java | 71 +++++++++++--
  .../org/apache/hive/jdbc/HiveConnection.java | 99 +++++++++----------
  .../hive/service/auth/HiveAuthFactory.java | 21 +++-
  7 files changed, 148 insertions(+), 78 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/data/files/keystore.jks
----------------------------------------------------------------------
diff --git a/data/files/keystore.jks b/data/files/keystore.jks
index 469d8a5..8f35af0 100644
Binary files a/data/files/keystore.jks and b/data/files/keystore.jks differ

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/data/files/keystore_exampledotcom.jks
----------------------------------------------------------------------
diff --git a/data/files/keystore_exampledotcom.jks b/data/files/keystore_exampledotcom.jks
new file mode 100644
index 0000000..1d33aad
Binary files /dev/null and b/data/files/keystore_exampledotcom.jks differ

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/data/files/truststore.jks
----------------------------------------------------------------------
diff --git a/data/files/truststore.jks b/data/files/truststore.jks
index 9c5d703..03dd2a3 100644
Binary files a/data/files/truststore.jks and b/data/files/truststore.jks differ

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
index 9ab5566..de1ce76 100644
--- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
+++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
@@ -182,6 +182,8 @@ public class MiniHS2 extends AbstractHiveService {
    private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useMiniKdc,
        String serverPrincipal, String serverKeytab, boolean isMetastoreRemote,
        boolean usePortsFromConf, String authType, boolean isHA) throws Exception {
+ // Always use localhost for hostname as some tests like SSL CN validation ones
+ // are tied to localhost being present in the certificate name
      super(hiveConf, "localhost",
          (usePortsFromConf ? hiveConf.getIntVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_PORT) : MetaStoreUtils.findFreePort()),
          (usePortsFromConf ? hiveConf.getIntVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_PORT) : MetaStoreUtils.findFreePort()));
@@ -382,29 +384,38 @@ public class MiniHS2 extends AbstractHiveService {
     * @return
     * @throws Exception
     */
- public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt) throws Exception {
+ public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt)
+ throws Exception {
      sessionConfExt = (sessionConfExt == null ? "" : sessionConfExt);
      hiveConfExt = (hiveConfExt == null ? "" : hiveConfExt);
- String krbConfig = "";
+ // Strip the leading ";" if provided
+ // (this is the assumption with which we're going to start configuring sessionConfExt)
+ if (sessionConfExt.startsWith(";")) {
+ sessionConfExt = sessionConfExt.substring(1);
+ }
      if (isUseMiniKdc()) {
- krbConfig = "principal=" + serverPrincipal;
+ sessionConfExt = "principal=" + serverPrincipal + ";" + sessionConfExt;
      }
      if (isHttpTransportMode()) {
- sessionConfExt = "transportMode=http;httpPath=cliservice;" + sessionConfExt;
+ sessionConfExt = "transportMode=http;httpPath=cliservice" + ";" + sessionConfExt;
      }
      String baseJdbcURL;
      if (isDynamicServiceDiscovery()) {
- String serviceDiscoveryConfig =
+ sessionConfExt =
            "serviceDiscoveryMode=zooKeeper;zooKeeperNamespace="
- + getServerConf().getVar(HiveConf.ConfVars.HIVE_SERVER2_ZOOKEEPER_NAMESPACE) + ";";
- baseJdbcURL = getZKBaseJdbcURL() + dbName + ";" + serviceDiscoveryConfig;
+ + getServerConf().getVar(HiveConf.ConfVars.HIVE_SERVER2_ZOOKEEPER_NAMESPACE) + ";"
+ + sessionConfExt;
+ baseJdbcURL = getZKBaseJdbcURL();
+ } else {
+ baseJdbcURL = getBaseJdbcURL();
      }
- else {
- baseJdbcURL = getBaseJdbcURL() + dbName + ";";
+
+ baseJdbcURL = baseJdbcURL + dbName;
+ if (!sessionConfExt.isEmpty()) {
+ baseJdbcURL = baseJdbcURL + ";" + sessionConfExt;
      }
- baseJdbcURL = baseJdbcURL + krbConfig + ";" + sessionConfExt;
- if (!hiveConfExt.trim().equals("")) {
- baseJdbcURL = "?" + hiveConfExt;
+ if ((hiveConfExt != null) && (!hiveConfExt.trim().isEmpty())) {
+ baseJdbcURL = baseJdbcURL + "?" + hiveConfExt;
      }
      return baseJdbcURL;
    }

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
index ea9acba..2f4db0d 100644
--- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
+++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
@@ -18,6 +18,7 @@

  package org.apache.hive.jdbc;
  import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
  import static org.junit.Assert.fail;

  import java.io.File;
@@ -47,9 +48,10 @@ import org.slf4j.LoggerFactory;

  public class TestSSL {
    private static final Logger LOG = LoggerFactory.getLogger(TestSSL.class);
- private static final String KEY_STORE_NAME = "keystore.jks";
+ private static final String LOCALHOST_KEY_STORE_NAME = "keystore.jks";
+ private static final String EXAMPLEDOTCOM_KEY_STORE_NAME = "keystore_exampledotcom.jks";
    private static final String TRUST_STORE_NAME = "truststore.jks";
- private static final String KEY_STORE_PASSWORD = "HiveJdbc";
+ private static final String KEY_STORE_TRUST_STORE_PASSWORD = "HiveJdbc";
    private static final String JAVA_TRUST_STORE_PROP = "javax.net.ssl.trustStore";
    private static final String JAVA_TRUST_STORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
    private static final String HS2_BINARY_MODE = "binary";
@@ -62,9 +64,9 @@ public class TestSSL {
    private Connection hs2Conn = null;
    private String dataFileDir = conf.get("test.data.files");
    private Map<String, String> confOverlay;
- private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore="
+ private final String SSL_CONN_PARAMS = "ssl=true;sslTrustStore="
        + URLEncoder.encode(dataFileDir + File.separator + TRUST_STORE_NAME) + ";trustStorePassword="
- + KEY_STORE_PASSWORD;
+ + KEY_STORE_TRUST_STORE_PASSWORD;

    @BeforeClass
    public static void beforeTest() throws Exception {
@@ -127,7 +129,7 @@ public class TestSSL {
      // make SSL connection
      hs2Conn =
          DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" + dataFileDir
- + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_PASSWORD,
+ + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_TRUST_STORE_PASSWORD,
              System.getProperty("user.name"), "bar");
      hs2Conn.close();
      Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
@@ -144,7 +146,7 @@ public class TestSSL {
        hs2Conn =
            DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore="
                + dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
- + KEY_STORE_PASSWORD, System.getProperty("user.name"), "bar");
+ + KEY_STORE_TRUST_STORE_PASSWORD, System.getProperty("user.name"), "bar");
        Assert.fail("Expected SQLException during connect");
      } catch (SQLException e) {
        LOG.info("Expected exception: " + e, e);
@@ -181,7 +183,7 @@ public class TestSSL {
      }

      System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
- System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
+ System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
      try {
        hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
            System.getProperty("user.name"), "bar");
@@ -291,7 +293,7 @@ public class TestSSL {
      miniHS2.start(confOverlay);

      System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
- System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
+ System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
      // make SSL connection
      hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
          System.getProperty("user.name"), "bar");
@@ -375,6 +377,55 @@ public class TestSSL {
      hs2Conn.close();
    }

+ /***
+ * Test a new connection when server sends a certificate with wrong CN
+ * (sends a certificate for www.example.com instead of localhost)
+ * Opening a new connection with this wrong certificate should fail
+ * @throws Exception
+ */
+ @Test
+ public void testConnectionWrongCertCN() throws Exception {
+ // This call sets the default ssl params including the correct keystore in the server config
+ setSslConfOverlay(confOverlay);
+ // Replace default keystore with keystore for www.example.com
+ confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
+ + EXAMPLEDOTCOM_KEY_STORE_NAME);
+ // Binary (TCP) mode
+ setBinaryConfOverlay(confOverlay);
+ miniHS2.start(confOverlay);
+ try {
+ hs2Conn =
+ DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
+ System.getProperty("user.name"), "bar");
+ fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
+ + "instead of localhost), should fail");
+ } catch (SQLException e) {
+ // Expected error: should throw java.security.cert.CertificateException
+ assertEquals("08S01", e.getSQLState().trim());
+ assertTrue(e.toString().contains("java.security.cert.CertificateException"));
+ }
+
+ miniHS2.stop();
+
+ // Http mode
+ setHttpConfOverlay(confOverlay);
+ miniHS2.start(confOverlay);
+ try {
+ hs2Conn =
+ DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
+ System.getProperty("user.name"), "bar");
+ fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
+ + "instead of localhost), should fail");
+ } catch (SQLException e) {
+ // Expected error: should throw javax.net.ssl.SSLPeerUnverifiedException
+ assertEquals("08S01", e.getSQLState().trim());
+ assertTrue(e.toString().contains("javax.net.ssl.SSLPeerUnverifiedException"));
+ }
+ // Revert to default keystore path
+ confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
+ + LOCALHOST_KEY_STORE_NAME);
+ }
+
    private void setupTestTableWithData(String tableName, Path dataFilePath,
        Connection hs2Conn) throws Exception {
      Statement stmt = hs2Conn.createStatement();
@@ -393,9 +444,9 @@ public class TestSSL {
    private void setSslConfOverlay(Map<String, String> confOverlay) {
      confOverlay.put(ConfVars.HIVE_SERVER2_USE_SSL.varname, "true");
      confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname,
- dataFileDir + File.separator + KEY_STORE_NAME);
+ dataFileDir + File.separator + LOCALHOST_KEY_STORE_NAME);
      confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname,
- KEY_STORE_PASSWORD);
+ KEY_STORE_TRUST_STORE_PASSWORD);
    }

    private void clearSslConfOverlay(Map<String, String> confOverlay) {

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
----------------------------------------------------------------------
diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
index 40ad3b2..0b0db43 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
@@ -44,13 +44,15 @@ import org.apache.http.client.ServiceUnavailableRetryStrategy;
  import org.apache.http.config.Registry;
  import org.apache.http.config.RegistryBuilder;
  import org.apache.http.conn.socket.ConnectionSocketFactory;
-import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
  import org.apache.http.impl.client.BasicCookieStore;
  import org.apache.http.impl.client.CloseableHttpClient;
  import org.apache.http.impl.client.HttpClientBuilder;
  import org.apache.http.impl.client.HttpClients;
  import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
  import org.apache.http.protocol.HttpContext;
+import org.apache.http.ssl.SSLContexts;
  import org.apache.thrift.TException;
  import org.apache.thrift.protocol.TBinaryProtocol;
  import org.apache.thrift.transport.THttpClient;
@@ -324,30 +326,29 @@ public class HiveConnection implements java.sql.Connection {
      if (isCookieEnabled) {
        // Create a http client with a retry mechanism when the server returns a status code of 401.
        httpClientBuilder =
- HttpClients.custom().setServiceUnavailableRetryStrategy(
- new ServiceUnavailableRetryStrategy() {
-
- @Override
- public boolean retryRequest(
- final HttpResponse response,
- final int executionCount,
- final HttpContext context) {
- int statusCode = response.getStatusLine().getStatusCode();
- boolean ret = statusCode == 401 && executionCount <= 1;
-
- // Set the context attribute to true which will be interpreted by the request interceptor
- if (ret) {
- context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY, Utils.HIVE_SERVER2_RETRY_TRUE);
- }
- return ret;
- }
-
- @Override
- public long getRetryInterval() {
- // Immediate retry
- return 0;
- }
- });
+ HttpClients.custom().setServiceUnavailableRetryStrategy(
+ new ServiceUnavailableRetryStrategy() {
+ @Override
+ public boolean retryRequest(final HttpResponse response, final int executionCount,
+ final HttpContext context) {
+ int statusCode = response.getStatusLine().getStatusCode();
+ boolean ret = statusCode == 401 && executionCount <= 1;
+
+ // Set the context attribute to true which will be interpreted by the request
+ // interceptor
+ if (ret) {
+ context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY,
+ Utils.HIVE_SERVER2_RETRY_TRUE);
+ }
+ return ret;
+ }
+
+ @Override
+ public long getRetryInterval() {
+ // Immediate retry
+ return 0;
+ }
+ });
      } else {
        httpClientBuilder = HttpClientBuilder.create();
      }
@@ -360,47 +361,37 @@ public class HiveConnection implements java.sql.Connection {
        String sslTrustStorePassword = sessConfMap.get(
          JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
        KeyStore sslTrustStore;
- SSLSocketFactory socketFactory;
-
+ SSLConnectionSocketFactory socketFactory;
+ SSLContext sslContext;
        /**
- * The code within the try block throws:
- * 1. SSLInitializationException
- * 2. KeyStoreException
- * 3. IOException
- * 4. NoSuchAlgorithmException
- * 5. CertificateException
- * 6. KeyManagementException
- * 7. UnrecoverableKeyException
- * We don't want the client to retry on any of these, hence we catch all
- * and throw a SQLException.
+ * The code within the try block throws: SSLInitializationException, KeyStoreException,
+ * IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException &
+ * UnrecoverableKeyException. We don't want the client to retry on any of these,
+ * hence we catch all and throw a SQLException.
         */
        try {
- if (useTwoWaySSL != null &&
- useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
+ if (useTwoWaySSL != null && useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
            socketFactory = getTwoWaySSLSocketFactory();
          } else if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
            // Create a default socket factory based on standard JSSE trust material
- socketFactory = SSLSocketFactory.getSocketFactory();
+ socketFactory = SSLConnectionSocketFactory.getSocketFactory();
          } else {
            // Pick trust store config from the given path
            sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
            try (FileInputStream fis = new FileInputStream(sslTrustStorePath)) {
              sslTrustStore.load(fis, sslTrustStorePassword.toCharArray());
            }
- socketFactory = new SSLSocketFactory(sslTrustStore);
+ sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build();
+ socketFactory =
+ new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
          }
- socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
-
          final Registry<ConnectionSocketFactory> registry =
- RegistryBuilder.<ConnectionSocketFactory>create()
- .register("https", socketFactory)
- .build();
-
+ RegistryBuilder.<ConnectionSocketFactory> create().register("https", socketFactory)
+ .build();
          httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(registry));
- }
- catch (Exception e) {
- String msg = "Could not create an https connection to " +
- jdbcUriString + ". " + e.getMessage();
+ } catch (Exception e) {
+ String msg =
+ "Could not create an https connection to " + jdbcUriString + ". " + e.getMessage();
          throw new SQLException(msg, " 08S01", e);
        }
      }
@@ -502,8 +493,8 @@ public class HiveConnection implements java.sql.Connection {
      return transport;
    }

- SSLSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
- SSLSocketFactory socketFactory = null;
+ SSLConnectionSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
+ SSLConnectionSocketFactory socketFactory = null;

      try {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
@@ -540,7 +531,7 @@ public class HiveConnection implements java.sql.Connection {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(keyManagerFactory.getKeyManagers(),
          trustManagerFactory.getTrustManagers(), new SecureRandom());
- socketFactory = new SSLSocketFactory(context);
+ socketFactory = new SSLConnectionSocketFactory(context);
      } catch (Exception e) {
        throw new SQLException("Error while initializing 2 way ssl socket factory ", e);
      }

http://git-wip-us.apache.org/repos/asf/hive/blob/3b2ea248/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index 8af9d0a..ab8806c 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -29,7 +29,9 @@ import java.util.HashMap;
  import java.util.List;
  import java.util.Map;

+import javax.net.ssl.SSLParameters;
  import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSocket;
  import javax.security.auth.login.LoginException;
  import javax.security.sasl.AuthenticationException;
  import javax.security.sasl.Sasl;
@@ -258,7 +260,9 @@ public class HiveAuthFactory {

    public static TTransport getSSLSocket(String host, int port, int loginTimeout)
      throws TTransportException {
- return TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
+ // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT
+ TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
+ return getSSLSocketWithHttps(tSSLSocket);
    }

    public static TTransport getSSLSocket(String host, int port, int loginTimeout,
@@ -267,7 +271,20 @@ public class HiveAuthFactory {
        new TSSLTransportFactory.TSSLTransportParameters();
      params.setTrustStore(trustStorePath, trustStorePassWord);
      params.requireClientAuth(true);
- return TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
+ // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and
+ // SSLContext created with the given params
+ TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
+ return getSSLSocketWithHttps(tSSLSocket);
+ }
+
+ // Using endpoint identification algorithm as HTTPS enables us to do
+ // CNAMEs/subjectAltName verification
+ private static TSocket getSSLSocketWithHttps(TSocket tSSLSocket) throws TTransportException {
+ SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
+ SSLParameters sslParams = sslSocket.getSSLParameters();
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ sslSocket.setSSLParameters(sslParams);
+ return new TSocket(sslSocket);
    }

    public static TServerSocket getServerSocket(String hiveHost, int portNum)

Search Discussions

  • Vgumashta at May 2, 2016 at 11:32 pm
    Repository: hive
    Updated Branches:
       refs/heads/branch-2.0 53aad28c6 -> 116751eb5


    HIVE-13390: HiveServer2: Add more test to ZK service discovery using MiniHS2 (Vaibhav Gumashta reviewed by Sushanth Sowmyan)


    Project: http://git-wip-us.apache.org/repos/asf/hive/repo
    Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/116751eb
    Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/116751eb
    Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/116751eb

    Branch: refs/heads/branch-2.0
    Commit: 116751eb543ff218502b5bf2add342b152baa17d
    Parents: 53aad28
    Author: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Authored: Mon May 2 16:29:17 2016 -0700
    Committer: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Committed: Mon May 2 16:29:17 2016 -0700

    ----------------------------------------------------------------------
      data/files/keystore.jks | Bin 2248 -> 2206 bytes
      data/files/keystore_exampledotcom.jks | Bin 0 -> 2222 bytes
      data/files/truststore.jks | Bin 958 -> 1816 bytes
      .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 33 +++++--
      .../jdbc/TestJdbcWithLocalClusterSpark.java | 2 +-
      .../apache/hive/jdbc/TestJdbcWithMiniMr.java | 2 +-
      ...stMultiSessionsHS2WithLocalClusterSpark.java | 7 +-
      .../test/java/org/apache/hive/jdbc/TestSSL.java | 71 +++++++++++--
      .../jdbc/authorization/TestHS2AuthzContext.java | 4 +-
      .../authorization/TestJdbcMetadataApiAuth.java | 2 +-
      .../TestJdbcWithSQLAuthorization.java | 2 +-
      .../org/apache/hive/jdbc/HiveConnection.java | 99 +++++++++----------
      .../hive/service/auth/HiveAuthFactory.java | 21 +++-
      13 files changed, 157 insertions(+), 86 deletions(-)
    ----------------------------------------------------------------------


    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/data/files/keystore.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/keystore.jks b/data/files/keystore.jks
    index 469d8a5..8f35af0 100644
    Binary files a/data/files/keystore.jks and b/data/files/keystore.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/data/files/keystore_exampledotcom.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/keystore_exampledotcom.jks b/data/files/keystore_exampledotcom.jks
    new file mode 100644
    index 0000000..1d33aad
    Binary files /dev/null and b/data/files/keystore_exampledotcom.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/data/files/truststore.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/truststore.jks b/data/files/truststore.jks
    index 9c5d703..03dd2a3 100644
    Binary files a/data/files/truststore.jks and b/data/files/truststore.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    index 8b0f9d4..1c02252 100644
    --- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    +++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    @@ -307,8 +307,9 @@ public class MiniHS2 extends AbstractHiveService {
        /**
         * return connection URL for this server instance
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL() {
    + public String getJdbcURL() throws Exception {
          return getJdbcURL("default");
        }

    @@ -316,8 +317,9 @@ public class MiniHS2 extends AbstractHiveService {
         * return connection URL for this server instance
         * @param dbName - DB name to be included in the URL
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName) {
    + public String getJdbcURL(String dbName) throws Exception {
          return getJdbcURL(dbName, "");
        }

    @@ -326,8 +328,9 @@ public class MiniHS2 extends AbstractHiveService {
         * @param dbName - DB name to be included in the URL
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt) throws Exception {
          return getJdbcURL(dbName, sessionConfExt, "");
        }

    @@ -337,20 +340,30 @@ public class MiniHS2 extends AbstractHiveService {
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @param hiveConfExt - Additional string to be appended to HiveConf part of url (excluding the ?)
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt)
    + throws Exception {
          sessionConfExt = (sessionConfExt == null ? "" : sessionConfExt);
          hiveConfExt = (hiveConfExt == null ? "" : hiveConfExt);
    - String krbConfig = "";
    + // Strip the leading ";" if provided
    + // (this is the assumption with which we're going to start configuring sessionConfExt)
    + if (sessionConfExt.startsWith(";")) {
    + sessionConfExt = sessionConfExt.substring(1);
    + }
          if (isUseMiniKdc()) {
    - krbConfig = "principal=" + serverPrincipal;
    + sessionConfExt = "principal=" + serverPrincipal + ";" + sessionConfExt;
          }
          if (isHttpTransportMode()) {
    - sessionConfExt = "transportMode=http;httpPath=cliservice;" + sessionConfExt;
    + sessionConfExt = "transportMode=http;httpPath=cliservice" + ";" + sessionConfExt;
    + }
    + String baseJdbcURL = getBaseJdbcURL();
    + baseJdbcURL = baseJdbcURL + dbName;
    + if (!sessionConfExt.isEmpty()) {
    + baseJdbcURL = baseJdbcURL + ";" + sessionConfExt;
          }
    - String baseJdbcURL = getBaseJdbcURL() + dbName + ";" + krbConfig + ";" + sessionConfExt;
    - if (!hiveConfExt.trim().equals("")) {
    - baseJdbcURL = "?" + hiveConfExt;
    + if ((hiveConfExt != null) && (!hiveConfExt.trim().isEmpty())) {
    + baseJdbcURL = baseJdbcURL + "?" + hiveConfExt;
          }
          return baseJdbcURL;
        }

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    index f649fc2..cabddea 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    @@ -92,7 +92,7 @@ public class TestJdbcWithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    index bcd65a9..637e51a 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    @@ -83,7 +83,7 @@ public class TestJdbcWithMiniMr {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    index 0c3479d..3427c5c 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    @@ -101,7 +101,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
            getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();
    @@ -124,7 +124,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          closeConnection();
        }

    - private void createConnection() throws SQLException {
    + private void createConnection() throws Exception {
          Connection connection = DriverManager.getConnection(miniHS2.getJdbcURL(dbName),
            System.getProperty("user.name"), "bar");
          Statement statement = connection.createStatement();
    @@ -215,8 +215,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          };
        }

    - private void testKvQuery(String queryStr, String resultVal)
    - throws SQLException {
    + private void testKvQuery(String queryStr, String resultVal) throws Exception {
          createConnection();
          verifyResult(queryStr, resultVal, 2);
          closeConnection();

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    index b66ffda..92e7674 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    @@ -18,6 +18,7 @@

      package org.apache.hive.jdbc;
      import static org.junit.Assert.assertEquals;
    +import static org.junit.Assert.assertTrue;
      import static org.junit.Assert.fail;

      import java.io.File;
    @@ -46,9 +47,10 @@ import org.slf4j.LoggerFactory;

      public class TestSSL {
        private static final Logger LOG = LoggerFactory.getLogger(TestSSL.class);
    - private static final String KEY_STORE_NAME = "keystore.jks";
    + private static final String LOCALHOST_KEY_STORE_NAME = "keystore.jks";
    + private static final String EXAMPLEDOTCOM_KEY_STORE_NAME = "keystore_exampledotcom.jks";
        private static final String TRUST_STORE_NAME = "truststore.jks";
    - private static final String KEY_STORE_PASSWORD = "HiveJdbc";
    + private static final String KEY_STORE_TRUST_STORE_PASSWORD = "HiveJdbc";
        private static final String JAVA_TRUST_STORE_PROP = "javax.net.ssl.trustStore";
        private static final String JAVA_TRUST_STORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
        private static final String HS2_BINARY_MODE = "binary";
    @@ -61,9 +63,9 @@ public class TestSSL {
        private Connection hs2Conn = null;
        private String dataFileDir = conf.get("test.data.files");
        private Map<String, String> confOverlay;
    - private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore="
    + private final String SSL_CONN_PARAMS = "ssl=true;sslTrustStore="
            + URLEncoder.encode(dataFileDir + File.separator + TRUST_STORE_NAME) + ";trustStorePassword="
    - + KEY_STORE_PASSWORD;
    + + KEY_STORE_TRUST_STORE_PASSWORD;

        @BeforeClass
        public static void beforeTest() throws Exception {
    @@ -125,7 +127,7 @@ public class TestSSL {
          // make SSL connection
          hs2Conn =
              DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" + dataFileDir
    - + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_PASSWORD,
    + + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_TRUST_STORE_PASSWORD,
                  System.getProperty("user.name"), "bar");
          hs2Conn.close();
          Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
    @@ -142,7 +144,7 @@ public class TestSSL {
            hs2Conn =
                DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore="
                    + dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
    - + KEY_STORE_PASSWORD, System.getProperty("user.name"), "bar");
    + + KEY_STORE_TRUST_STORE_PASSWORD, System.getProperty("user.name"), "bar");
            Assert.fail("Expected SQLException during connect");
          } catch (SQLException e) {
            LOG.info("Expected exception: " + e, e);
    @@ -179,7 +181,7 @@ public class TestSSL {
          }

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          try {
            hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
                System.getProperty("user.name"), "bar");
    @@ -289,7 +291,7 @@ public class TestSSL {
          miniHS2.start(confOverlay);

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          // make SSL connection
          hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
              System.getProperty("user.name"), "bar");
    @@ -373,6 +375,55 @@ public class TestSSL {
          hs2Conn.close();
        }

    + /***
    + * Test a new connection when server sends a certificate with wrong CN
    + * (sends a certificate for www.example.com instead of localhost)
    + * Opening a new connection with this wrong certificate should fail
    + * @throws Exception
    + */
    + @Test
    + public void testConnectionWrongCertCN() throws Exception {
    + // This call sets the default ssl params including the correct keystore in the server config
    + setSslConfOverlay(confOverlay);
    + // Replace default keystore with keystore for www.example.com
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + EXAMPLEDOTCOM_KEY_STORE_NAME);
    + // Binary (TCP) mode
    + setBinaryConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw java.security.cert.CertificateException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("java.security.cert.CertificateException"));
    + }
    +
    + miniHS2.stop();
    +
    + // Http mode
    + setHttpConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw javax.net.ssl.SSLPeerUnverifiedException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("javax.net.ssl.SSLPeerUnverifiedException"));
    + }
    + // Revert to default keystore path
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + LOCALHOST_KEY_STORE_NAME);
    + }
    +
        private void setupTestTableWithData(String tableName, Path dataFilePath,
            Connection hs2Conn) throws Exception {
          Statement stmt = hs2Conn.createStatement();
    @@ -391,9 +442,9 @@ public class TestSSL {
        private void setSslConfOverlay(Map<String, String> confOverlay) {
          confOverlay.put(ConfVars.HIVE_SERVER2_USE_SSL.varname, "true");
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname,
    - dataFileDir + File.separator + KEY_STORE_NAME);
    + dataFileDir + File.separator + LOCALHOST_KEY_STORE_NAME);
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname,
    - KEY_STORE_PASSWORD);
    + KEY_STORE_TRUST_STORE_PASSWORD);
        }

        private void clearSslConfOverlay(Map<String, String> confOverlay) {

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    index 0bb3c0a..c43776b 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    @@ -101,7 +101,7 @@ public class TestHS2AuthzContext {
          verifyContextContents("dfs -ls /", "-ls /");
        }

    - private void verifyContextContents(final String cmd, String ctxCmd) throws SQLException,
    + private void verifyContextContents(final String cmd, String ctxCmd) throws Exception,
            HiveAuthzPluginException, HiveAccessControlException {
          Connection hs2Conn = getConnection("user1");
          Statement stmt = hs2Conn.createStatement();
    @@ -126,7 +126,7 @@ public class TestHS2AuthzContext {

        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    index 19b311d..692bfa0 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    @@ -253,7 +253,7 @@ public class TestJdbcMetadataApiAuth {
          }
        }

    - private static Connection getConnection(String userName) throws SQLException {
    + private static Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    index dacde45..5e653ec 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    @@ -126,7 +126,7 @@ public class TestJdbcWithSQLAuthorization {
          }
        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    ----------------------------------------------------------------------
    diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    index e3a5028..2770afb 100644
    --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    @@ -43,13 +43,15 @@ import org.apache.http.client.ServiceUnavailableRetryStrategy;
      import org.apache.http.config.Registry;
      import org.apache.http.config.RegistryBuilder;
      import org.apache.http.conn.socket.ConnectionSocketFactory;
    -import org.apache.http.conn.ssl.SSLSocketFactory;
    +import org.apache.http.conn.ssl.DefaultHostnameVerifier;
    +import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
      import org.apache.http.impl.client.BasicCookieStore;
      import org.apache.http.impl.client.CloseableHttpClient;
      import org.apache.http.impl.client.HttpClientBuilder;
      import org.apache.http.impl.client.HttpClients;
      import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
      import org.apache.http.protocol.HttpContext;
    +import org.apache.http.ssl.SSLContexts;
      import org.apache.thrift.TException;
      import org.apache.thrift.protocol.TBinaryProtocol;
      import org.apache.thrift.transport.THttpClient;
    @@ -305,30 +307,29 @@ public class HiveConnection implements java.sql.Connection {
          if (isCookieEnabled) {
            // Create a http client with a retry mechanism when the server returns a status code of 401.
            httpClientBuilder =
    - HttpClients.custom().setServiceUnavailableRetryStrategy(
    - new ServiceUnavailableRetryStrategy() {
    -
    - @Override
    - public boolean retryRequest(
    - final HttpResponse response,
    - final int executionCount,
    - final HttpContext context) {
    - int statusCode = response.getStatusLine().getStatusCode();
    - boolean ret = statusCode == 401 && executionCount <= 1;
    -
    - // Set the context attribute to true which will be interpreted by the request interceptor
    - if (ret) {
    - context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY, Utils.HIVE_SERVER2_RETRY_TRUE);
    - }
    - return ret;
    - }
    -
    - @Override
    - public long getRetryInterval() {
    - // Immediate retry
    - return 0;
    - }
    - });
    + HttpClients.custom().setServiceUnavailableRetryStrategy(
    + new ServiceUnavailableRetryStrategy() {
    + @Override
    + public boolean retryRequest(final HttpResponse response, final int executionCount,
    + final HttpContext context) {
    + int statusCode = response.getStatusLine().getStatusCode();
    + boolean ret = statusCode == 401 && executionCount <= 1;
    +
    + // Set the context attribute to true which will be interpreted by the request
    + // interceptor
    + if (ret) {
    + context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY,
    + Utils.HIVE_SERVER2_RETRY_TRUE);
    + }
    + return ret;
    + }
    +
    + @Override
    + public long getRetryInterval() {
    + // Immediate retry
    + return 0;
    + }
    + });
          } else {
            httpClientBuilder = HttpClientBuilder.create();
          }
    @@ -341,47 +342,37 @@ public class HiveConnection implements java.sql.Connection {
            String sslTrustStorePassword = sessConfMap.get(
              JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
            KeyStore sslTrustStore;
    - SSLSocketFactory socketFactory;
    -
    + SSLConnectionSocketFactory socketFactory;
    + SSLContext sslContext;
            /**
    - * The code within the try block throws:
    - * 1. SSLInitializationException
    - * 2. KeyStoreException
    - * 3. IOException
    - * 4. NoSuchAlgorithmException
    - * 5. CertificateException
    - * 6. KeyManagementException
    - * 7. UnrecoverableKeyException
    - * We don't want the client to retry on any of these, hence we catch all
    - * and throw a SQLException.
    + * The code within the try block throws: SSLInitializationException, KeyStoreException,
    + * IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException &
    + * UnrecoverableKeyException. We don't want the client to retry on any of these,
    + * hence we catch all and throw a SQLException.
             */
            try {
    - if (useTwoWaySSL != null &&
    - useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
    + if (useTwoWaySSL != null && useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
                socketFactory = getTwoWaySSLSocketFactory();
              } else if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
                // Create a default socket factory based on standard JSSE trust material
    - socketFactory = SSLSocketFactory.getSocketFactory();
    + socketFactory = SSLConnectionSocketFactory.getSocketFactory();
              } else {
                // Pick trust store config from the given path
                sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
                try (FileInputStream fis = new FileInputStream(sslTrustStorePath)) {
                  sslTrustStore.load(fis, sslTrustStorePassword.toCharArray());
                }
    - socketFactory = new SSLSocketFactory(sslTrustStore);
    + sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build();
    + socketFactory =
    + new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
              }
    - socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    -
              final Registry<ConnectionSocketFactory> registry =
    - RegistryBuilder.<ConnectionSocketFactory>create()
    - .register("https", socketFactory)
    - .build();
    -
    + RegistryBuilder.<ConnectionSocketFactory> create().register("https", socketFactory)
    + .build();
              httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(registry));
    - }
    - catch (Exception e) {
    - String msg = "Could not create an https connection to " +
    - jdbcUriString + ". " + e.getMessage();
    + } catch (Exception e) {
    + String msg =
    + "Could not create an https connection to " + jdbcUriString + ". " + e.getMessage();
              throw new SQLException(msg, " 08S01", e);
            }
          }
    @@ -483,8 +474,8 @@ public class HiveConnection implements java.sql.Connection {
          return transport;
        }

    - SSLSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    - SSLSocketFactory socketFactory = null;
    + SSLConnectionSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    + SSLConnectionSocketFactory socketFactory = null;

          try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
    @@ -521,7 +512,7 @@ public class HiveConnection implements java.sql.Connection {
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(keyManagerFactory.getKeyManagers(),
              trustManagerFactory.getTrustManagers(), new SecureRandom());
    - socketFactory = new SSLSocketFactory(context);
    + socketFactory = new SSLConnectionSocketFactory(context);
          } catch (Exception e) {
            throw new SQLException("Error while initializing 2 way ssl socket factory ", e);
          }

    http://git-wip-us.apache.org/repos/asf/hive/blob/116751eb/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    ----------------------------------------------------------------------
    diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    index 062974d..70a1f6b 100644
    --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    @@ -28,7 +28,9 @@ import java.util.HashMap;
      import java.util.List;
      import java.util.Map;

    +import javax.net.ssl.SSLParameters;
      import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
      import javax.security.auth.login.LoginException;
      import javax.security.sasl.AuthenticationException;
      import javax.security.sasl.Sasl;
    @@ -245,7 +247,9 @@ public class HiveAuthFactory {

        public static TTransport getSSLSocket(String host, int port, int loginTimeout)
          throws TTransportException {
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + return getSSLSocketWithHttps(tSSLSocket);
        }

        public static TTransport getSSLSocket(String host, int port, int loginTimeout,
    @@ -254,7 +258,20 @@ public class HiveAuthFactory {
            new TSSLTransportFactory.TSSLTransportParameters();
          params.setTrustStore(trustStorePath, trustStorePassWord);
          params.requireClientAuth(true);
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and
    + // SSLContext created with the given params
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + return getSSLSocketWithHttps(tSSLSocket);
    + }
    +
    + // Using endpoint identification algorithm as HTTPS enables us to do
    + // CNAMEs/subjectAltName verification
    + private static TSocket getSSLSocketWithHttps(TSocket tSSLSocket) throws TTransportException {
    + SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
    + SSLParameters sslParams = sslSocket.getSSLParameters();
    + sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    + sslSocket.setSSLParameters(sslParams);
    + return new TSocket(sslSocket);
        }

        public static TServerSocket getServerSocket(String hiveHost, int portNum)
  • Vgumashta at May 3, 2016 at 4:34 am
    Repository: hive
    Updated Branches:
       refs/heads/branch-1 0ed03eec7 -> d0736590d


    HIVE-13390: HiveServer2: Add more test to ZK service discovery using MiniHS2 (Vaibhav Gumashta reviewed by Sushanth Sowmyan)


    Project: http://git-wip-us.apache.org/repos/asf/hive/repo
    Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/d0736590
    Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/d0736590
    Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/d0736590

    Branch: refs/heads/branch-1
    Commit: d0736590d909faf90fad125b56d975406effadcf
    Parents: 0ed03ee
    Author: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Authored: Mon May 2 21:33:52 2016 -0700
    Committer: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Committed: Mon May 2 21:33:52 2016 -0700

    ----------------------------------------------------------------------
      .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 33 ++++--
      .../jdbc/TestJdbcWithLocalClusterSpark.java | 2 +-
      .../apache/hive/jdbc/TestJdbcWithMiniMr.java | 2 +-
      ...stMultiSessionsHS2WithLocalClusterSpark.java | 7 +-
      .../test/java/org/apache/hive/jdbc/TestSSL.java | 103 ++++++++++++++-----
      .../jdbc/authorization/TestHS2AuthzContext.java | 4 +-
      .../authorization/TestJdbcMetadataApiAuth.java | 2 +-
      .../TestJdbcWithSQLAuthorization.java | 2 +-
      .../org/apache/hive/jdbc/HiveConnection.java | 99 ++++++++----------
      .../hive/service/auth/HiveAuthFactory.java | 21 +++-
      10 files changed, 174 insertions(+), 101 deletions(-)
    ----------------------------------------------------------------------


    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    index 9f051ed..7101f94 100644
    --- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    +++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    @@ -300,8 +300,9 @@ public class MiniHS2 extends AbstractHiveService {
        /**
         * return connection URL for this server instance
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL() {
    + public String getJdbcURL() throws Exception {
          return getJdbcURL("default");
        }

    @@ -309,8 +310,9 @@ public class MiniHS2 extends AbstractHiveService {
         * return connection URL for this server instance
         * @param dbName - DB name to be included in the URL
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName) {
    + public String getJdbcURL(String dbName) throws Exception {
          return getJdbcURL(dbName, "");
        }

    @@ -319,8 +321,9 @@ public class MiniHS2 extends AbstractHiveService {
         * @param dbName - DB name to be included in the URL
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt) throws Exception {
          return getJdbcURL(dbName, sessionConfExt, "");
        }

    @@ -330,20 +333,30 @@ public class MiniHS2 extends AbstractHiveService {
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @param hiveConfExt - Additional string to be appended to HiveConf part of url (excluding the ?)
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt)
    + throws Exception {
          sessionConfExt = (sessionConfExt == null ? "" : sessionConfExt);
          hiveConfExt = (hiveConfExt == null ? "" : hiveConfExt);
    - String krbConfig = "";
    + // Strip the leading ";" if provided
    + // (this is the assumption with which we're going to start configuring sessionConfExt)
    + if (sessionConfExt.startsWith(";")) {
    + sessionConfExt = sessionConfExt.substring(1);
    + }
          if (isUseMiniKdc()) {
    - krbConfig = "principal=" + serverPrincipal;
    + sessionConfExt = "principal=" + serverPrincipal + ";" + sessionConfExt;
          }
          if (isHttpTransportMode()) {
    - sessionConfExt = "transportMode=http;httpPath=cliservice;" + sessionConfExt;
    + sessionConfExt = "transportMode=http;httpPath=cliservice" + ";" + sessionConfExt;
    + }
    + String baseJdbcURL = getBaseJdbcURL();
    + baseJdbcURL = baseJdbcURL + dbName;
    + if (!sessionConfExt.isEmpty()) {
    + baseJdbcURL = baseJdbcURL + ";" + sessionConfExt;
          }
    - String baseJdbcURL = getBaseJdbcURL() + dbName + ";" + krbConfig + ";" + sessionConfExt;
    - if (!hiveConfExt.trim().equals("")) {
    - baseJdbcURL = "?" + hiveConfExt;
    + if ((hiveConfExt != null) && (!hiveConfExt.trim().isEmpty())) {
    + baseJdbcURL = baseJdbcURL + "?" + hiveConfExt;
          }
          return baseJdbcURL;
        }

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    index f649fc2..cabddea 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    @@ -92,7 +92,7 @@ public class TestJdbcWithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    index bcd65a9..637e51a 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    @@ -83,7 +83,7 @@ public class TestJdbcWithMiniMr {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    index 0c3479d..3427c5c 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    @@ -101,7 +101,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
            getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();
    @@ -124,7 +124,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          closeConnection();
        }

    - private void createConnection() throws SQLException {
    + private void createConnection() throws Exception {
          Connection connection = DriverManager.getConnection(miniHS2.getJdbcURL(dbName),
            System.getProperty("user.name"), "bar");
          Statement statement = connection.createStatement();
    @@ -215,8 +215,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          };
        }

    - private void testKvQuery(String queryStr, String resultVal)
    - throws SQLException {
    + private void testKvQuery(String queryStr, String resultVal) throws Exception {
          createConnection();
          verifyResult(queryStr, resultVal, 2);
          closeConnection();

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    index 28a3777..39c8361 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    @@ -18,6 +18,7 @@

      package org.apache.hive.jdbc;
      import static org.junit.Assert.assertEquals;
    +import static org.junit.Assert.assertTrue;
      import static org.junit.Assert.fail;

      import java.io.File;
    @@ -46,9 +47,10 @@ import org.slf4j.LoggerFactory;

      public class TestSSL {
        private static final Logger LOG = LoggerFactory.getLogger(TestSSL.class);
    - private static final String KEY_STORE_NAME = "keystore.jks";
    + private static final String LOCALHOST_KEY_STORE_NAME = "keystore.jks";
    + private static final String EXAMPLEDOTCOM_KEY_STORE_NAME = "keystore_exampledotcom.jks";
        private static final String TRUST_STORE_NAME = "truststore.jks";
    - private static final String KEY_STORE_PASSWORD = "HiveJdbc";
    + private static final String KEY_STORE_TRUST_STORE_PASSWORD = "HiveJdbc";
        private static final String JAVA_TRUST_STORE_PROP = "javax.net.ssl.trustStore";
        private static final String JAVA_TRUST_STORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
        private static final String HS2_BINARY_MODE = "binary";
    @@ -62,8 +64,9 @@ public class TestSSL {
        private Connection hs2Conn = null;
        private String dataFileDir = conf.get("test.data.files");
        private Map<String, String> confOverlay;
    - private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore=" + URLEncoder.encode(dataFileDir + File.separator +
    - TRUST_STORE_NAME) + ";trustStorePassword=" + KEY_STORE_PASSWORD;
    + private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore="
    + + URLEncoder.encode(dataFileDir + File.separator + TRUST_STORE_NAME) + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD;

        @BeforeClass
        public static void beforeTest() throws Exception {
    @@ -112,8 +115,10 @@ public class TestSSL {
        @Test
        public void testSSLVersion() throws Exception {
          Assume.assumeTrue(execCommand("which openssl") == 0); // we need openssl
    - Assume.assumeTrue(System.getProperty("os.name").toLowerCase()
    - .contains("linux")); // we depend on linux openssl exit codes
    + Assume.assumeTrue(System.getProperty("os.name").toLowerCase().contains("linux")); // we depend
    + // on linux
    + // openssl
    + // exit codes

          setSslConfOverlay(confOverlay);
          // Test in binary mode
    @@ -122,16 +127,15 @@ public class TestSSL {
          miniHS2.start(confOverlay);

          // make SSL connection
    - hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" +
    - dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" +
    - KEY_STORE_PASSWORD, System.getProperty("user.name"), "bar");
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" + dataFileDir
    + + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD, System.getProperty("user.name"), "bar");
          hs2Conn.close();
    - Assert.assertEquals("Expected exit code of 1", 1,
    - execCommand("openssl s_client -connect " + miniHS2.getHost() + ":" + miniHS2.getBinaryPort()
    - + " -ssl2 < /dev/null"));
    - Assert.assertEquals("Expected exit code of 1", 1,
    - execCommand("openssl s_client -connect " + miniHS2.getHost() + ":" + miniHS2.getBinaryPort()
    - + " -ssl3 < /dev/null"));
    + Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
    + + miniHS2.getHost() + ":" + miniHS2.getBinaryPort() + " -ssl2 < /dev/null"));
    + Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
    + + miniHS2.getHost() + ":" + miniHS2.getBinaryPort() + " -ssl3 < /dev/null"));
          miniHS2.stop();

          // Test in http mode
    @@ -139,12 +143,12 @@ public class TestSSL {
          miniHS2.start(confOverlay);
          // make SSL connection
          try {
    - hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() +
    - ";ssl=true;sslTrustStore=" + dataFileDir + File.separator +
    - TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_PASSWORD +
    - "?hive.server2.transport.mode=" + HS2_HTTP_MODE +
    - ";hive.server2.thrift.http.path=" + HS2_HTTP_ENDPOINT,
    - System.getProperty("user.name"), "bar");
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore="
    + + dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD + "?hive.server2.transport.mode=" + HS2_HTTP_MODE
    + + ";hive.server2.thrift.http.path=" + HS2_HTTP_ENDPOINT,
    + System.getProperty("user.name"), "bar");
            Assert.fail("Expected SQLException during connect");
          } catch (SQLException e) {
            LOG.info("Expected exception: " + e, e);
    @@ -181,7 +185,7 @@ public class TestSSL {
          }

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          try {
            hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
                System.getProperty("user.name"), "bar");
    @@ -291,7 +295,7 @@ public class TestSSL {
          miniHS2.start(confOverlay);

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          // make SSL connection
          hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
              System.getProperty("user.name"), "bar");
    @@ -375,6 +379,55 @@ public class TestSSL {
          hs2Conn.close();
        }

    + /***
    + * Test a new connection when server sends a certificate with wrong CN
    + * (sends a certificate for www.example.com instead of localhost)
    + * Opening a new connection with this wrong certificate should fail
    + * @throws Exception
    + */
    + @Test
    + public void testConnectionWrongCertCN() throws Exception {
    + // This call sets the default ssl params including the correct keystore in the server config
    + setSslConfOverlay(confOverlay);
    + // Replace default keystore with keystore for www.example.com
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + EXAMPLEDOTCOM_KEY_STORE_NAME);
    + // Binary (TCP) mode
    + setBinaryConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw java.security.cert.CertificateException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("java.security.cert.CertificateException"));
    + }
    +
    + miniHS2.stop();
    +
    + // Http mode
    + setHttpConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw javax.net.ssl.SSLPeerUnverifiedException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("javax.net.ssl.SSLPeerUnverifiedException"));
    + }
    + // Revert to default keystore path
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + LOCALHOST_KEY_STORE_NAME);
    + }
    +
        private void setupTestTableWithData(String tableName, Path dataFilePath,
            Connection hs2Conn) throws Exception {
          Statement stmt = hs2Conn.createStatement();
    @@ -393,9 +446,9 @@ public class TestSSL {
        private void setSslConfOverlay(Map<String, String> confOverlay) {
          confOverlay.put(ConfVars.HIVE_SERVER2_USE_SSL.varname, "true");
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname,
    - dataFileDir + File.separator + KEY_STORE_NAME);
    + dataFileDir + File.separator + LOCALHOST_KEY_STORE_NAME);
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname,
    - KEY_STORE_PASSWORD);
    + KEY_STORE_TRUST_STORE_PASSWORD);
        }

        private void clearSslConfOverlay(Map<String, String> confOverlay) {

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    index 0bb3c0a..c43776b 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    @@ -101,7 +101,7 @@ public class TestHS2AuthzContext {
          verifyContextContents("dfs -ls /", "-ls /");
        }

    - private void verifyContextContents(final String cmd, String ctxCmd) throws SQLException,
    + private void verifyContextContents(final String cmd, String ctxCmd) throws Exception,
            HiveAuthzPluginException, HiveAccessControlException {
          Connection hs2Conn = getConnection("user1");
          Statement stmt = hs2Conn.createStatement();
    @@ -126,7 +126,7 @@ public class TestHS2AuthzContext {

        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    index 19b311d..692bfa0 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    @@ -253,7 +253,7 @@ public class TestJdbcMetadataApiAuth {
          }
        }

    - private static Connection getConnection(String userName) throws SQLException {
    + private static Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    index dacde45..5e653ec 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    @@ -126,7 +126,7 @@ public class TestJdbcWithSQLAuthorization {
          }
        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    ----------------------------------------------------------------------
    diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    index 3784740..8c64838 100644
    --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    @@ -87,11 +87,13 @@ import org.apache.http.client.ServiceUnavailableRetryStrategy;
      import org.apache.http.config.Registry;
      import org.apache.http.config.RegistryBuilder;
      import org.apache.http.conn.socket.ConnectionSocketFactory;
    -import org.apache.http.conn.ssl.SSLSocketFactory;
    +import org.apache.http.conn.ssl.DefaultHostnameVerifier;
    +import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
      import org.apache.http.impl.client.BasicCookieStore;
      import org.apache.http.impl.client.HttpClientBuilder;
      import org.apache.http.impl.client.HttpClients;
      import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
    +import org.apache.http.ssl.SSLContexts;
      import org.apache.thrift.TException;
      import org.apache.thrift.protocol.TBinaryProtocol;
      import org.apache.thrift.transport.THttpClient;
    @@ -307,30 +309,29 @@ public class HiveConnection implements java.sql.Connection {
          if (isCookieEnabled) {
            // Create a http client with a retry mechanism when the server returns a status code of 401.
            httpClientBuilder =
    - HttpClients.custom().setServiceUnavailableRetryStrategy(
    - new ServiceUnavailableRetryStrategy() {
    -
    - @Override
    - public boolean retryRequest(
    - final HttpResponse response,
    - final int executionCount,
    - final HttpContext context) {
    - int statusCode = response.getStatusLine().getStatusCode();
    - boolean ret = statusCode == 401 && executionCount <= 1;
    -
    - // Set the context attribute to true which will be interpreted by the request interceptor
    - if (ret) {
    - context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY, Utils.HIVE_SERVER2_RETRY_TRUE);
    - }
    - return ret;
    - }
    -
    - @Override
    - public long getRetryInterval() {
    - // Immediate retry
    - return 0;
    - }
    - });
    + HttpClients.custom().setServiceUnavailableRetryStrategy(
    + new ServiceUnavailableRetryStrategy() {
    + @Override
    + public boolean retryRequest(final HttpResponse response, final int executionCount,
    + final HttpContext context) {
    + int statusCode = response.getStatusLine().getStatusCode();
    + boolean ret = statusCode == 401 && executionCount <= 1;
    +
    + // Set the context attribute to true which will be interpreted by the request
    + // interceptor
    + if (ret) {
    + context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY,
    + Utils.HIVE_SERVER2_RETRY_TRUE);
    + }
    + return ret;
    + }
    +
    + @Override
    + public long getRetryInterval() {
    + // Immediate retry
    + return 0;
    + }
    + });
          } else {
            httpClientBuilder = HttpClientBuilder.create();
          }
    @@ -343,47 +344,37 @@ public class HiveConnection implements java.sql.Connection {
            String sslTrustStorePassword = sessConfMap.get(
              JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
            KeyStore sslTrustStore;
    - SSLSocketFactory socketFactory;
    -
    + SSLConnectionSocketFactory socketFactory;
    + SSLContext sslContext;
            /**
    - * The code within the try block throws:
    - * 1. SSLInitializationException
    - * 2. KeyStoreException
    - * 3. IOException
    - * 4. NoSuchAlgorithmException
    - * 5. CertificateException
    - * 6. KeyManagementException
    - * 7. UnrecoverableKeyException
    - * We don't want the client to retry on any of these, hence we catch all
    - * and throw a SQLException.
    + * The code within the try block throws: SSLInitializationException, KeyStoreException,
    + * IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException &
    + * UnrecoverableKeyException. We don't want the client to retry on any of these,
    + * hence we catch all and throw a SQLException.
             */
            try {
    - if (useTwoWaySSL != null &&
    - useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
    + if (useTwoWaySSL != null && useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
                socketFactory = getTwoWaySSLSocketFactory();
              } else if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
                // Create a default socket factory based on standard JSSE trust material
    - socketFactory = SSLSocketFactory.getSocketFactory();
    + socketFactory = SSLConnectionSocketFactory.getSocketFactory();
              } else {
                // Pick trust store config from the given path
                sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
                try (FileInputStream fis = new FileInputStream(sslTrustStorePath)) {
                  sslTrustStore.load(fis, sslTrustStorePassword.toCharArray());
                }
    - socketFactory = new SSLSocketFactory(sslTrustStore);
    + sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build();
    + socketFactory =
    + new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
              }
    - socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    -
              final Registry<ConnectionSocketFactory> registry =
    - RegistryBuilder.<ConnectionSocketFactory>create()
    - .register("https", socketFactory)
    - .build();
    -
    + RegistryBuilder.<ConnectionSocketFactory> create().register("https", socketFactory)
    + .build();
              httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(registry));
    - }
    - catch (Exception e) {
    - String msg = "Could not create an https connection to " +
    - jdbcUriString + ". " + e.getMessage();
    + } catch (Exception e) {
    + String msg =
    + "Could not create an https connection to " + jdbcUriString + ". " + e.getMessage();
              throw new SQLException(msg, " 08S01", e);
            }
          }
    @@ -474,8 +465,8 @@ public class HiveConnection implements java.sql.Connection {
          return transport;
        }

    - SSLSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    - SSLSocketFactory socketFactory = null;
    + SSLConnectionSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    + SSLConnectionSocketFactory socketFactory = null;

          try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
    @@ -512,7 +503,7 @@ public class HiveConnection implements java.sql.Connection {
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(keyManagerFactory.getKeyManagers(),
              trustManagerFactory.getTrustManagers(), new SecureRandom());
    - socketFactory = new SSLSocketFactory(context);
    + socketFactory = new SSLConnectionSocketFactory(context);
          } catch (Exception e) {
            throw new SQLException("Error while initializing 2 way ssl socket factory ", e);
          }

    http://git-wip-us.apache.org/repos/asf/hive/blob/d0736590/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    ----------------------------------------------------------------------
    diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    index 0c7455d..bb77b92 100644
    --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    @@ -28,7 +28,9 @@ import java.util.HashMap;
      import java.util.List;
      import java.util.Map;

    +import javax.net.ssl.SSLParameters;
      import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
      import javax.security.auth.login.LoginException;
      import javax.security.sasl.AuthenticationException;
      import javax.security.sasl.Sasl;
    @@ -242,7 +244,9 @@ public class HiveAuthFactory {

        public static TTransport getSSLSocket(String host, int port, int loginTimeout)
          throws TTransportException {
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + return getSSLSocketWithHttps(tSSLSocket);
        }

        public static TTransport getSSLSocket(String host, int port, int loginTimeout,
    @@ -251,7 +255,20 @@ public class HiveAuthFactory {
            new TSSLTransportFactory.TSSLTransportParameters();
          params.setTrustStore(trustStorePath, trustStorePassWord);
          params.requireClientAuth(true);
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and
    + // SSLContext created with the given params
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + return getSSLSocketWithHttps(tSSLSocket);
    + }
    +
    + // Using endpoint identification algorithm as HTTPS enables us to do
    + // CNAMEs/subjectAltName verification
    + private static TSocket getSSLSocketWithHttps(TSocket tSSLSocket) throws TTransportException {
    + SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
    + SSLParameters sslParams = sslSocket.getSSLParameters();
    + sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    + sslSocket.setSSLParameters(sslParams);
    + return new TSocket(sslSocket);
        }

        public static TServerSocket getServerSocket(String hiveHost, int portNum)
  • Vgumashta at May 3, 2016 at 5:13 am
    Repository: hive
    Updated Branches:
       refs/heads/branch-1.2 029b8833e -> 5d4c2bd63


    HIVE-13390: HiveServer2: Add more test to ZK service discovery using MiniHS2 (Vaibhav Gumashta reviewed by Sushanth Sowmyan)


    Project: http://git-wip-us.apache.org/repos/asf/hive/repo
    Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/5d4c2bd6
    Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/5d4c2bd6
    Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/5d4c2bd6

    Branch: refs/heads/branch-1.2
    Commit: 5d4c2bd63c6b819af1440ceba7657447c047e3d2
    Parents: 029b883
    Author: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Authored: Mon May 2 22:10:36 2016 -0700
    Committer: Vaibhav Gumashta <vgumashta@hortonworks.com>
    Committed: Mon May 2 22:10:36 2016 -0700

    ----------------------------------------------------------------------
      data/files/keystore.jks | Bin 2248 -> 2206 bytes
      data/files/keystore_exampledotcom.jks | Bin 0 -> 2222 bytes
      data/files/truststore.jks | Bin 958 -> 1816 bytes
      .../org/apache/hive/jdbc/miniHS2/MiniHS2.java | 35 +++++--
      .../jdbc/TestJdbcWithLocalClusterSpark.java | 2 +-
      .../apache/hive/jdbc/TestJdbcWithMiniMr.java | 2 +-
      ...stMultiSessionsHS2WithLocalClusterSpark.java | 7 +-
      .../test/java/org/apache/hive/jdbc/TestSSL.java | 103 ++++++++++++++-----
      .../jdbc/authorization/TestHS2AuthzContext.java | 4 +-
      .../authorization/TestJdbcMetadataApiAuth.java | 2 +-
      .../TestJdbcWithSQLAuthorization.java | 2 +-
      .../org/apache/hive/jdbc/HiveConnection.java | 101 +++++++++---------
      .../hive/service/auth/HiveAuthFactory.java | 21 +++-
      13 files changed, 176 insertions(+), 103 deletions(-)
    ----------------------------------------------------------------------


    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/data/files/keystore.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/keystore.jks b/data/files/keystore.jks
    index 469d8a5..8f35af0 100644
    Binary files a/data/files/keystore.jks and b/data/files/keystore.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/data/files/keystore_exampledotcom.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/keystore_exampledotcom.jks b/data/files/keystore_exampledotcom.jks
    new file mode 100644
    index 0000000..1d33aad
    Binary files /dev/null and b/data/files/keystore_exampledotcom.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/data/files/truststore.jks
    ----------------------------------------------------------------------
    diff --git a/data/files/truststore.jks b/data/files/truststore.jks
    index 9c5d703..03dd2a3 100644
    Binary files a/data/files/truststore.jks and b/data/files/truststore.jks differ

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    index adb8a71..096c76f 100644
    --- a/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    +++ b/itests/hive-unit/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java
    @@ -300,8 +300,9 @@ public class MiniHS2 extends AbstractHiveService {
        /**
         * return connection URL for this server instance
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL() {
    + public String getJdbcURL() throws Exception {
          return getJdbcURL("default");
        }

    @@ -309,8 +310,9 @@ public class MiniHS2 extends AbstractHiveService {
         * return connection URL for this server instance
         * @param dbName - DB name to be included in the URL
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName) {
    + public String getJdbcURL(String dbName) throws Exception {
          return getJdbcURL(dbName, "");
        }

    @@ -319,8 +321,9 @@ public class MiniHS2 extends AbstractHiveService {
         * @param dbName - DB name to be included in the URL
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt) throws Exception {
          return getJdbcURL(dbName, sessionConfExt, "");
        }

    @@ -330,22 +333,32 @@ public class MiniHS2 extends AbstractHiveService {
         * @param sessionConfExt - Addional string to be appended to sessionConf part of url
         * @param hiveConfExt - Additional string to be appended to HiveConf part of url (excluding the ?)
         * @return
    + * @throws Exception
         */
    - public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt) {
    + public String getJdbcURL(String dbName, String sessionConfExt, String hiveConfExt)
    + throws Exception {
          sessionConfExt = (sessionConfExt == null ? "" : sessionConfExt);
          hiveConfExt = (hiveConfExt == null ? "" : hiveConfExt);
    - String krbConfig = "";
    + // Strip the leading ";" if provided
    + // (this is the assumption with which we're going to start configuring sessionConfExt)
    + if (sessionConfExt.startsWith(";")) {
    + sessionConfExt = sessionConfExt.substring(1);
    + }
          if (isUseMiniKdc()) {
    - krbConfig = ";principal=" + serverPrincipal;
    + sessionConfExt = "principal=" + serverPrincipal + ";" + sessionConfExt;
          }
          if (isHttpTransportMode()) {
    - hiveConfExt = "hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice;"
    - + hiveConfExt;
    + sessionConfExt = "transportMode=http;httpPath=cliservice" + ";" + sessionConfExt;
    + }
    + String baseJdbcURL = getBaseJdbcURL();
    + baseJdbcURL = baseJdbcURL + dbName;
    + if (!sessionConfExt.isEmpty()) {
    + baseJdbcURL = baseJdbcURL + ";" + sessionConfExt;
          }
    - if (!hiveConfExt.trim().equals("")) {
    - hiveConfExt = "?" + hiveConfExt;
    + if ((hiveConfExt != null) && (!hiveConfExt.trim().isEmpty())) {
    + baseJdbcURL = baseJdbcURL + "?" + hiveConfExt;
          }
    - return getBaseJdbcURL() + dbName + krbConfig + sessionConfExt + hiveConfExt;
    + return baseJdbcURL;
        }

        /**

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    index f649fc2..cabddea 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithLocalClusterSpark.java
    @@ -92,7 +92,7 @@ public class TestJdbcWithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    index bcd65a9..637e51a 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcWithMiniMr.java
    @@ -83,7 +83,7 @@ public class TestJdbcWithMiniMr {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
              getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    index 0c3479d..3427c5c 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestMultiSessionsHS2WithLocalClusterSpark.java
    @@ -101,7 +101,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
        }

        // setup DB
    - private static void createDb() throws SQLException {
    + private static void createDb() throws Exception {
          Connection conn = DriverManager.
            getConnection(miniHS2.getJdbcURL(), System.getProperty("user.name"), "bar");
          Statement stmt2 = conn.createStatement();
    @@ -124,7 +124,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          closeConnection();
        }

    - private void createConnection() throws SQLException {
    + private void createConnection() throws Exception {
          Connection connection = DriverManager.getConnection(miniHS2.getJdbcURL(dbName),
            System.getProperty("user.name"), "bar");
          Statement statement = connection.createStatement();
    @@ -215,8 +215,7 @@ public class TestMultiSessionsHS2WithLocalClusterSpark {
          };
        }

    - private void testKvQuery(String queryStr, String resultVal)
    - throws SQLException {
    + private void testKvQuery(String queryStr, String resultVal) throws Exception {
          createConnection();
          verifyResult(queryStr, resultVal, 2);
          closeConnection();

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    index 28a3777..39c8361 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestSSL.java
    @@ -18,6 +18,7 @@

      package org.apache.hive.jdbc;
      import static org.junit.Assert.assertEquals;
    +import static org.junit.Assert.assertTrue;
      import static org.junit.Assert.fail;

      import java.io.File;
    @@ -46,9 +47,10 @@ import org.slf4j.LoggerFactory;

      public class TestSSL {
        private static final Logger LOG = LoggerFactory.getLogger(TestSSL.class);
    - private static final String KEY_STORE_NAME = "keystore.jks";
    + private static final String LOCALHOST_KEY_STORE_NAME = "keystore.jks";
    + private static final String EXAMPLEDOTCOM_KEY_STORE_NAME = "keystore_exampledotcom.jks";
        private static final String TRUST_STORE_NAME = "truststore.jks";
    - private static final String KEY_STORE_PASSWORD = "HiveJdbc";
    + private static final String KEY_STORE_TRUST_STORE_PASSWORD = "HiveJdbc";
        private static final String JAVA_TRUST_STORE_PROP = "javax.net.ssl.trustStore";
        private static final String JAVA_TRUST_STORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
        private static final String HS2_BINARY_MODE = "binary";
    @@ -62,8 +64,9 @@ public class TestSSL {
        private Connection hs2Conn = null;
        private String dataFileDir = conf.get("test.data.files");
        private Map<String, String> confOverlay;
    - private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore=" + URLEncoder.encode(dataFileDir + File.separator +
    - TRUST_STORE_NAME) + ";trustStorePassword=" + KEY_STORE_PASSWORD;
    + private final String SSL_CONN_PARAMS = ";ssl=true;sslTrustStore="
    + + URLEncoder.encode(dataFileDir + File.separator + TRUST_STORE_NAME) + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD;

        @BeforeClass
        public static void beforeTest() throws Exception {
    @@ -112,8 +115,10 @@ public class TestSSL {
        @Test
        public void testSSLVersion() throws Exception {
          Assume.assumeTrue(execCommand("which openssl") == 0); // we need openssl
    - Assume.assumeTrue(System.getProperty("os.name").toLowerCase()
    - .contains("linux")); // we depend on linux openssl exit codes
    + Assume.assumeTrue(System.getProperty("os.name").toLowerCase().contains("linux")); // we depend
    + // on linux
    + // openssl
    + // exit codes

          setSslConfOverlay(confOverlay);
          // Test in binary mode
    @@ -122,16 +127,15 @@ public class TestSSL {
          miniHS2.start(confOverlay);

          // make SSL connection
    - hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" +
    - dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword=" +
    - KEY_STORE_PASSWORD, System.getProperty("user.name"), "bar");
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore=" + dataFileDir
    + + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD, System.getProperty("user.name"), "bar");
          hs2Conn.close();
    - Assert.assertEquals("Expected exit code of 1", 1,
    - execCommand("openssl s_client -connect " + miniHS2.getHost() + ":" + miniHS2.getBinaryPort()
    - + " -ssl2 < /dev/null"));
    - Assert.assertEquals("Expected exit code of 1", 1,
    - execCommand("openssl s_client -connect " + miniHS2.getHost() + ":" + miniHS2.getBinaryPort()
    - + " -ssl3 < /dev/null"));
    + Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
    + + miniHS2.getHost() + ":" + miniHS2.getBinaryPort() + " -ssl2 < /dev/null"));
    + Assert.assertEquals("Expected exit code of 1", 1, execCommand("openssl s_client -connect "
    + + miniHS2.getHost() + ":" + miniHS2.getBinaryPort() + " -ssl3 < /dev/null"));
          miniHS2.stop();

          // Test in http mode
    @@ -139,12 +143,12 @@ public class TestSSL {
          miniHS2.start(confOverlay);
          // make SSL connection
          try {
    - hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() +
    - ";ssl=true;sslTrustStore=" + dataFileDir + File.separator +
    - TRUST_STORE_NAME + ";trustStorePassword=" + KEY_STORE_PASSWORD +
    - "?hive.server2.transport.mode=" + HS2_HTTP_MODE +
    - ";hive.server2.thrift.http.path=" + HS2_HTTP_ENDPOINT,
    - System.getProperty("user.name"), "bar");
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true;sslTrustStore="
    + + dataFileDir + File.separator + TRUST_STORE_NAME + ";trustStorePassword="
    + + KEY_STORE_TRUST_STORE_PASSWORD + "?hive.server2.transport.mode=" + HS2_HTTP_MODE
    + + ";hive.server2.thrift.http.path=" + HS2_HTTP_ENDPOINT,
    + System.getProperty("user.name"), "bar");
            Assert.fail("Expected SQLException during connect");
          } catch (SQLException e) {
            LOG.info("Expected exception: " + e, e);
    @@ -181,7 +185,7 @@ public class TestSSL {
          }

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          try {
            hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
                System.getProperty("user.name"), "bar");
    @@ -291,7 +295,7 @@ public class TestSSL {
          miniHS2.start(confOverlay);

          System.setProperty(JAVA_TRUST_STORE_PROP, dataFileDir + File.separator + TRUST_STORE_NAME );
    - System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_PASSWORD);
    + System.setProperty(JAVA_TRUST_STORE_PASS_PROP, KEY_STORE_TRUST_STORE_PASSWORD);
          // make SSL connection
          hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL() + ";ssl=true",
              System.getProperty("user.name"), "bar");
    @@ -375,6 +379,55 @@ public class TestSSL {
          hs2Conn.close();
        }

    + /***
    + * Test a new connection when server sends a certificate with wrong CN
    + * (sends a certificate for www.example.com instead of localhost)
    + * Opening a new connection with this wrong certificate should fail
    + * @throws Exception
    + */
    + @Test
    + public void testConnectionWrongCertCN() throws Exception {
    + // This call sets the default ssl params including the correct keystore in the server config
    + setSslConfOverlay(confOverlay);
    + // Replace default keystore with keystore for www.example.com
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + EXAMPLEDOTCOM_KEY_STORE_NAME);
    + // Binary (TCP) mode
    + setBinaryConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw java.security.cert.CertificateException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("java.security.cert.CertificateException"));
    + }
    +
    + miniHS2.stop();
    +
    + // Http mode
    + setHttpConfOverlay(confOverlay);
    + miniHS2.start(confOverlay);
    + try {
    + hs2Conn =
    + DriverManager.getConnection(miniHS2.getJdbcURL("default", SSL_CONN_PARAMS),
    + System.getProperty("user.name"), "bar");
    + fail("SSL connection, with the server providing wrong certifcate (with CN www.example.com, "
    + + "instead of localhost), should fail");
    + } catch (SQLException e) {
    + // Expected error: should throw javax.net.ssl.SSLPeerUnverifiedException
    + assertEquals("08S01", e.getSQLState().trim());
    + assertTrue(e.toString().contains("javax.net.ssl.SSLPeerUnverifiedException"));
    + }
    + // Revert to default keystore path
    + confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname, dataFileDir + File.separator
    + + LOCALHOST_KEY_STORE_NAME);
    + }
    +
        private void setupTestTableWithData(String tableName, Path dataFilePath,
            Connection hs2Conn) throws Exception {
          Statement stmt = hs2Conn.createStatement();
    @@ -393,9 +446,9 @@ public class TestSSL {
        private void setSslConfOverlay(Map<String, String> confOverlay) {
          confOverlay.put(ConfVars.HIVE_SERVER2_USE_SSL.varname, "true");
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PATH.varname,
    - dataFileDir + File.separator + KEY_STORE_NAME);
    + dataFileDir + File.separator + LOCALHOST_KEY_STORE_NAME);
          confOverlay.put(ConfVars.HIVE_SERVER2_SSL_KEYSTORE_PASSWORD.varname,
    - KEY_STORE_PASSWORD);
    + KEY_STORE_TRUST_STORE_PASSWORD);
        }

        private void clearSslConfOverlay(Map<String, String> confOverlay) {

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    index 0bb3c0a..c43776b 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
    @@ -101,7 +101,7 @@ public class TestHS2AuthzContext {
          verifyContextContents("dfs -ls /", "-ls /");
        }

    - private void verifyContextContents(final String cmd, String ctxCmd) throws SQLException,
    + private void verifyContextContents(final String cmd, String ctxCmd) throws Exception,
            HiveAuthzPluginException, HiveAccessControlException {
          Connection hs2Conn = getConnection("user1");
          Statement stmt = hs2Conn.createStatement();
    @@ -126,7 +126,7 @@ public class TestHS2AuthzContext {

        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    index 19b311d..692bfa0 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
    @@ -253,7 +253,7 @@ public class TestJdbcMetadataApiAuth {
          }
        }

    - private static Connection getConnection(String userName) throws SQLException {
    + private static Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    ----------------------------------------------------------------------
    diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    index dacde45..5e653ec 100644
    --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    @@ -126,7 +126,7 @@ public class TestJdbcWithSQLAuthorization {
          }
        }

    - private Connection getConnection(String userName) throws SQLException {
    + private Connection getConnection(String userName) throws Exception {
          return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar");
        }


    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    ----------------------------------------------------------------------
    diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    index 8fb1d12..bfc8869 100644
    --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
    @@ -84,11 +84,13 @@ import org.apache.http.client.ServiceUnavailableRetryStrategy;
      import org.apache.http.config.Registry;
      import org.apache.http.config.RegistryBuilder;
      import org.apache.http.conn.socket.ConnectionSocketFactory;
    -import org.apache.http.conn.ssl.SSLSocketFactory;
    +import org.apache.http.conn.ssl.DefaultHostnameVerifier;
    +import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
      import org.apache.http.impl.client.BasicCookieStore;
      import org.apache.http.impl.client.HttpClientBuilder;
      import org.apache.http.impl.client.HttpClients;
      import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
    +import org.apache.http.ssl.SSLContexts;
      import org.apache.thrift.TException;
      import org.apache.thrift.protocol.TBinaryProtocol;
      import org.apache.thrift.transport.THttpClient;
    @@ -326,30 +328,29 @@ public class HiveConnection implements java.sql.Connection {
          if (isCookieEnabled) {
            // Create a http client with a retry mechanism when the server returns a status code of 401.
            httpClientBuilder =
    - HttpClients.custom().setServiceUnavailableRetryStrategy(
    - new ServiceUnavailableRetryStrategy() {
    -
    - @Override
    - public boolean retryRequest(
    - final HttpResponse response,
    - final int executionCount,
    - final HttpContext context) {
    - int statusCode = response.getStatusLine().getStatusCode();
    - boolean ret = statusCode == 401 && executionCount <= 1;
    -
    - // Set the context attribute to true which will be interpreted by the request interceptor
    - if (ret) {
    - context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY, Utils.HIVE_SERVER2_RETRY_TRUE);
    - }
    - return ret;
    - }
    -
    - @Override
    - public long getRetryInterval() {
    - // Immediate retry
    - return 0;
    - }
    - });
    + HttpClients.custom().setServiceUnavailableRetryStrategy(
    + new ServiceUnavailableRetryStrategy() {
    + @Override
    + public boolean retryRequest(final HttpResponse response, final int executionCount,
    + final HttpContext context) {
    + int statusCode = response.getStatusLine().getStatusCode();
    + boolean ret = statusCode == 401 && executionCount <= 1;
    +
    + // Set the context attribute to true which will be interpreted by the request
    + // interceptor
    + if (ret) {
    + context.setAttribute(Utils.HIVE_SERVER2_RETRY_KEY,
    + Utils.HIVE_SERVER2_RETRY_TRUE);
    + }
    + return ret;
    + }
    +
    + @Override
    + public long getRetryInterval() {
    + // Immediate retry
    + return 0;
    + }
    + });
          } else {
            httpClientBuilder = HttpClientBuilder.create();
          }
    @@ -362,46 +363,36 @@ public class HiveConnection implements java.sql.Connection {
            String sslTrustStorePassword = sessConfMap.get(
              JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
            KeyStore sslTrustStore;
    - SSLSocketFactory socketFactory;
    -
    + SSLConnectionSocketFactory socketFactory;
    + SSLContext sslContext;
            /**
    - * The code within the try block throws:
    - * 1. SSLInitializationException
    - * 2. KeyStoreException
    - * 3. IOException
    - * 4. NoSuchAlgorithmException
    - * 5. CertificateException
    - * 6. KeyManagementException
    - * 7. UnrecoverableKeyException
    - * We don't want the client to retry on any of these, hence we catch all
    - * and throw a SQLException.
    + * The code within the try block throws: SSLInitializationException, KeyStoreException,
    + * IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException &
    + * UnrecoverableKeyException. We don't want the client to retry on any of these,
    + * hence we catch all and throw a SQLException.
             */
            try {
    - if (useTwoWaySSL != null &&
    - useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
    + if (useTwoWaySSL != null && useTwoWaySSL.equalsIgnoreCase(JdbcConnectionParams.TRUE)) {
                socketFactory = getTwoWaySSLSocketFactory();
              } else if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) {
                // Create a default socket factory based on standard JSSE trust material
    - socketFactory = SSLSocketFactory.getSocketFactory();
    + socketFactory = SSLConnectionSocketFactory.getSocketFactory();
              } else {
                // Pick trust store config from the given path
                sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
                sslTrustStore.load(new FileInputStream(sslTrustStorePath),
    - sslTrustStorePassword.toCharArray());
    - socketFactory = new SSLSocketFactory(sslTrustStore);
    + sslTrustStorePassword.toCharArray());
    + sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build();
    + socketFactory =
    + new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier(null));
              }
    - socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    -
              final Registry<ConnectionSocketFactory> registry =
    - RegistryBuilder.<ConnectionSocketFactory>create()
    - .register("https", socketFactory)
    - .build();
    -
    + RegistryBuilder.<ConnectionSocketFactory> create().register("https", socketFactory)
    + .build();
              httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(registry));
    - }
    - catch (Exception e) {
    - String msg = "Could not create an https connection to " +
    - jdbcUriString + ". " + e.getMessage();
    + } catch (Exception e) {
    + String msg =
    + "Could not create an https connection to " + jdbcUriString + ". " + e.getMessage();
              throw new SQLException(msg, " 08S01", e);
            }
          }
    @@ -492,8 +483,8 @@ public class HiveConnection implements java.sql.Connection {
          return transport;
        }

    - SSLSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    - SSLSocketFactory socketFactory = null;
    + SSLConnectionSocketFactory getTwoWaySSLSocketFactory() throws SQLException {
    + SSLConnectionSocketFactory socketFactory = null;

          try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
    @@ -528,7 +519,7 @@ public class HiveConnection implements java.sql.Connection {
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(keyManagerFactory.getKeyManagers(),
              trustManagerFactory.getTrustManagers(), new SecureRandom());
    - socketFactory = new SSLSocketFactory(context);
    + socketFactory = new SSLConnectionSocketFactory(context);
          } catch (Exception e) {
            throw new SQLException("Error while initializing 2 way ssl socket factory ", e);
          }

    http://git-wip-us.apache.org/repos/asf/hive/blob/5d4c2bd6/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    ----------------------------------------------------------------------
    diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    index 1e6ac4f..d0c0df9 100644
    --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
    @@ -26,7 +26,9 @@ import java.util.HashMap;
      import java.util.List;
      import java.util.Map;

    +import javax.net.ssl.SSLParameters;
      import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
      import javax.security.auth.login.LoginException;
      import javax.security.sasl.Sasl;

    @@ -217,7 +219,9 @@ public class HiveAuthFactory {

        public static TTransport getSSLSocket(String host, int port, int loginTimeout)
          throws TTransportException {
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout);
    + return getSSLSocketWithHttps(tSSLSocket);
        }

        public static TTransport getSSLSocket(String host, int port, int loginTimeout,
    @@ -226,7 +230,20 @@ public class HiveAuthFactory {
            new TSSLTransportFactory.TSSLTransportParameters();
          params.setTrustStore(trustStorePath, trustStorePassWord);
          params.requireClientAuth(true);
    - return TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and
    + // SSLContext created with the given params
    + TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params);
    + return getSSLSocketWithHttps(tSSLSocket);
    + }
    +
    + // Using endpoint identification algorithm as HTTPS enables us to do
    + // CNAMEs/subjectAltName verification
    + private static TSocket getSSLSocketWithHttps(TSocket tSSLSocket) throws TTransportException {
    + SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
    + SSLParameters sslParams = sslSocket.getSSLParameters();
    + sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    + sslSocket.setSSLParameters(sslParams);
    + return new TSocket(sslSocket);
        }

        public static TServerSocket getServerSocket(String hiveHost, int portNum)

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcommits @
categorieshive, hadoop
postedMay 2, '16 at 8:36p
activeMay 3, '16 at 5:13a
posts4
users1
websitehive.apache.org

1 user in discussion

Vgumashta: 4 posts

People

Translate

site design / logo © 2021 Grokbase