AMBARI-14503. Hive views does not honour auth_to_local rules when running queries . (Gaurav Nagar via yusaku)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a6885597 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a6885597 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a6885597 Branch: refs/heads/branch-dev-patch-upgrade Commit: a688559755fee0af62b00dd1508dd987358dd9ff Parents: 8896d89 Author: Yusaku Sako <[email protected]> Authored: Wed Jan 13 03:30:05 2016 -0800 Committer: Yusaku Sako <[email protected]> Committed: Wed Jan 13 03:30:05 2016 -0800 ---------------------------------------------------------------------- ambari-server/pom.xml | 6 +++ .../ambari/server/view/ViewContextImpl.java | 45 ++++++++++++++++++++ .../org/apache/ambari/view/ViewContext.java | 9 +++- contrib/views/files/src/main/resources/view.xml | 7 +++ contrib/views/hive/src/main/resources/view.xml | 8 ++++ contrib/views/pig/src/main/resources/view.xml | 9 ++++ contrib/views/tez/src/main/resources/view.xml | 7 +++ 7 files changed, 90 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/ambari-server/pom.xml ---------------------------------------------------------------------- diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml index 9c0ba26..c0010fb 100644 --- a/ambari-server/pom.xml +++ b/ambari-server/pom.xml @@ -47,6 +47,7 @@ <stacksSrcLocation>target/classes/stacks/${stack.distribution}</stacksSrcLocation> <tarballResourcesFolder>src/main/resources</tarballResourcesFolder> <skipPythonTests>false</skipPythonTests> + <hadoop.version>2.7.1</hadoop.version> </properties> <build> <plugins> @@ -2021,6 +2022,11 @@ </exclusion> </exclusions> </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-auth</artifactId> + <version>${hadoop.version}</version> + </dependency> </dependencies> <pluginRepositories> http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java index a22c514..72da333 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java @@ -48,9 +48,13 @@ import org.apache.ambari.view.events.Event; import org.apache.ambari.view.events.Listener; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.directory.api.util.Strings; +import org.apache.hadoop.security.authentication.util.KerberosName; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.Velocity; import org.apache.velocity.exception.ParseErrorException; +import sun.security.krb5.KrbException; import java.io.StringWriter; import java.io.Writer; @@ -71,6 +75,10 @@ public class ViewContextImpl implements ViewContext, ViewController { */ private static final Log LOG = LogFactory.getLog(ViewContextImpl.class); + public static final String HADOOP_SECURITY_AUTH_TO_LOCAL = "hadoop.security.auth_to_local"; + public static final String CORE_SITE = "core-site"; + public static final String HDFS_AUTH_TO_LOCAL = "hdfs.auth_to_local"; + /** * The associated view definition. */ @@ -218,6 +226,36 @@ public class ViewContextImpl implements ViewContext, ViewController { @Override public String getUsername() { + String shortName = getLoggedinUser(); + try { + String authToLocalRules = getAuthToLocalRules(); + //Getting ambari server realm. Ideally this should come from user + String defaultRealm = KerberosUtil.getDefaultRealm(); + if(Strings.isNotEmpty(authToLocalRules) && Strings.isNotEmpty(defaultRealm)){ + synchronized (KerberosName.class){ + KerberosName.setRules(authToLocalRules); + shortName = new KerberosName(shortName+"@"+defaultRealm).getShortName(); + } + } + } catch (Exception e) { + LOG.error("Failed to get username",e); + } + return shortName; + } + + private String getAuthToLocalRules(){ + Cluster cluster = getCluster(); + String authToLocalRules = null; + if (cluster != null) { + authToLocalRules = cluster.getConfigurationValue(CORE_SITE, HADOOP_SECURITY_AUTH_TO_LOCAL); + }else if(viewInstanceEntity != null) { + authToLocalRules = viewInstanceEntity.getPropertyMap().get(HDFS_AUTH_TO_LOCAL); + } + return authToLocalRules; + } + + @Override + public String getLoggedinUser(){ return viewInstanceEntity != null ? viewInstanceEntity.getUsername() : null; } @@ -465,6 +503,13 @@ public class ViewContextImpl implements ViewContext, ViewController { return viewContext.getInstanceName(); } }); + context.put("loggedinUser", + new ParameterResolver() { + @Override + protected String getValue() { + return viewContext.getLoggedinUser(); + } + }); return context; } http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java ---------------------------------------------------------------------- diff --git a/ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java b/ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java index c0cae80..7b7b025 100644 --- a/ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java +++ b/ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java @@ -36,13 +36,20 @@ public interface ViewContext { public static final String CONTEXT_ATTRIBUTE = "ambari-view-context"; /** - * Get the current user name. + * Get the current user name after auth_to_local conversion * * @return the current user name */ public String getUsername(); /** + * Get the current ambari user. + * + * @return the current user name + */ + public String getLoggedinUser(); + + /** * Determine whether or not the access specified by the given permission name * is permitted for the given user. * http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/contrib/views/files/src/main/resources/view.xml ---------------------------------------------------------------------- diff --git a/contrib/views/files/src/main/resources/view.xml b/contrib/views/files/src/main/resources/view.xml index 58a7682..f594fbe 100644 --- a/contrib/views/files/src/main/resources/view.xml +++ b/contrib/views/files/src/main/resources/view.xml @@ -87,6 +87,13 @@ <required>false</required> <cluster-config>fake</cluster-config> </parameter> + <parameter> + <name>hdfs.auth_to_local</name> + <description>Auth to Local Configuration</description> + <label>Auth To Local</label> + <required>false</required> + <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config> + </parameter> <parameter> <name>webhdfs.username</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/contrib/views/hive/src/main/resources/view.xml ---------------------------------------------------------------------- diff --git a/contrib/views/hive/src/main/resources/view.xml b/contrib/views/hive/src/main/resources/view.xml index b6f03ad..e3aea70 100644 --- a/contrib/views/hive/src/main/resources/view.xml +++ b/contrib/views/hive/src/main/resources/view.xml @@ -166,6 +166,14 @@ <required>false</required> </parameter> + <parameter> + <name>hdfs.auth_to_local</name> + <description>Auth to Local Configuration</description> + <label>Auth To Local</label> + <required>false</required> + <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config> + </parameter> + <!-- General Configs --> <parameter> http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/contrib/views/pig/src/main/resources/view.xml ---------------------------------------------------------------------- diff --git a/contrib/views/pig/src/main/resources/view.xml b/contrib/views/pig/src/main/resources/view.xml index 30efae8..8dd4a4f 100644 --- a/contrib/views/pig/src/main/resources/view.xml +++ b/contrib/views/pig/src/main/resources/view.xml @@ -107,6 +107,14 @@ <required>false</required> </parameter> + <parameter> + <name>hdfs.auth_to_local</name> + <description>Auth to Local Configuration</description> + <label>Auth To Local</label> + <required>false</required> + <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config> + </parameter> + <!-- WebHCat Configs --> <parameter> <name>webhcat.hostname</name> @@ -133,6 +141,7 @@ <required>false</required> </parameter> + <!-- General Configs --> <parameter> <name>scripts.dir</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/a6885597/contrib/views/tez/src/main/resources/view.xml ---------------------------------------------------------------------- diff --git a/contrib/views/tez/src/main/resources/view.xml b/contrib/views/tez/src/main/resources/view.xml index d1ad5ad..d8105f1 100644 --- a/contrib/views/tez/src/main/resources/view.xml +++ b/contrib/views/tez/src/main/resources/view.xml @@ -35,6 +35,13 @@ limitations under the License. Kerberos, LDAP, Custom. Binary/Htt <placeholder>yarn.resourcemanager.hostname:8088</placeholder> <cluster-config>yarn-site/yarn.resourcemanager.webapp.address</cluster-config> </parameter> + <parameter> + <name>hdfs.auth_to_local</name> + <description>Auth to Local Configuration</description> + <label>Auth To Local</label> + <required>false</required> + <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config> + </parameter> <!-- The status resource exists to show the subset of properties that any user is allowed to see, not just an admin user. --> <resource>
