Author: jvs
Date: Tue Oct 11 18:24:48 2011
New Revision: 1182001
URL: http://svn.apache.org/viewvc?rev=1182001&view=rev
Log:
HIVE-2455. Pass correct remoteAddress in proxy user authentication
(Ashutosh Chauhan via jvs)
Modified:
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
Modified:
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL:
http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1182001&r1=1182000&r2=1182001&view=diff
==============================================================================
---
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
(original)
+++
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
Tue Oct 11 18:24:48 2011
@@ -24,7 +24,6 @@ import static org.apache.hadoop.hive.met
import static org.apache.hadoop.hive.metastore.MetaStoreUtils.validateName;
import java.io.IOException;
-import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Formatter;
@@ -185,11 +184,10 @@ public class HiveMetaStore extends Thrif
} catch (Exception ex) {
throw new RuntimeException(ex);
}
- InetAddress addr = saslServer.getRemoteAddress();
final Formatter fmt = auditFormatter.get();
((StringBuilder)fmt.out()).setLength(0);
auditLog.info(fmt.format(AUDIT_FORMAT, ugi.getUserName(),
- addr == null ? "unknown-ip-addr" : addr.toString(), cmd).toString());
+ saslServer.getRemoteAddress().toString(), cmd).toString());
}
// The next serial number to be assigned
Modified:
hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
URL:
http://svn.apache.org/viewvc/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java?rev=1182001&r1=1182000&r2=1182001&view=diff
==============================================================================
---
hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
(original)
+++
hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
Tue Oct 11 18:24:48 2011
@@ -39,15 +39,15 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
-import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.thrift.TException;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocol;
@@ -425,7 +425,7 @@ import org.apache.thrift.transport.TTran
}
@Override
- public String getDelegationToken(final String owner, final String
renewer)
+ public String getDelegationToken(final String owner, final String renewer)
throws IOException, InterruptedException {
if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) {
throw new AuthorizationException(
@@ -439,26 +439,19 @@ import org.apache.thrift.transport.TTran
UserGroupInformation currUser = UserGroupInformation.getCurrentUser();
UserGroupInformation ownerUgi =
UserGroupInformation.createRemoteUser(owner);
if (!ownerUgi.getShortUserName().equals(currUser.getShortUserName())) {
- //in the case of proxy users, the getCurrentUser will return the
- //real user (for e.g. oozie) due to the doAs that happened just
before the
+ //in the case of proxy users, the getCurrentUser will return the
+ //real user (for e.g. oozie) due to the doAs that happened just
before the
//server started executing the method getDelegationToken in the
MetaStore
ownerUgi = UserGroupInformation.createProxyUser(owner,
UserGroupInformation.getCurrentUser());
InetAddress remoteAddr = getRemoteAddress();
- //A hack (127.0.1.1 is used as the remote address in case remoteAddr
is null)
- //to make a testcase TestHadoop20SAuthBridge.testMetastoreProxyUser
- //pass. Once we have updated hive to have a thrift release with
- //THIFT-1053 in, we can remove the check for remoteAddr being null,
and this
- //hack
- ProxyUsers.authorize(ownerUgi,
- remoteAddr != null ? remoteAddr.getHostAddress() : "127.0.1.1",
- null);
+ ProxyUsers.authorize(ownerUgi,remoteAddr.getHostAddress(), null);
}
return ownerUgi.doAs(new PrivilegedExceptionAction<String>() {
public String run() throws IOException {
return secretManager.getDelegationToken(renewer);
}
- });
+ });
}
@Override
@@ -475,28 +468,27 @@ import org.apache.thrift.transport.TTran
secretManager.cancelDelegationToken(tokenStrForm);
}
- private final static ThreadLocal<InetAddress> remoteAddress =
+ final static ThreadLocal<InetAddress> remoteAddress =
new ThreadLocal<InetAddress>() {
@Override
protected synchronized InetAddress initialValue() {
return null;
}
};
-
+
@Override
public InetAddress getRemoteAddress() {
return remoteAddress.get();
}
-
- //declare the field public so that testcases can set it to an explicit
value
- public final static ThreadLocal<AuthenticationMethod>
authenticationMethod =
+
+ final static ThreadLocal<AuthenticationMethod> authenticationMethod =
new ThreadLocal<AuthenticationMethod>() {
@Override
protected synchronized AuthenticationMethod initialValue() {
return AuthenticationMethod.TOKEN;
}
};
-
+
/** CallbackHandler for SASL DIGEST-MD5 mechanism */
// This code is pretty much completely based on Hadoop's
// SaslRpcServer.SaslDigestCallbackHandler - the only reason we could not
@@ -608,10 +600,8 @@ import org.apache.thrift.transport.TTran
throw new TException(e.getMessage());
}
}
- if (TSocket.class.isAssignableFrom(inProt.getTransport().getClass()))
{
- Socket socket = ((TSocket)inProt.getTransport()).getSocket();
- remoteAddress.set(socket.getInetAddress());
- }
+ Socket socket =
((TSocket)(saslTrans.getUnderlyingTransport())).getSocket();
+ remoteAddress.set(socket.getInetAddress());
try {
UserGroupInformation clientUgi =
UserGroupInformation.createProxyUser(
endUser, UserGroupInformation.getLoginUser());
Modified:
hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
URL:
http://svn.apache.org/viewvc/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java?rev=1182001&r1=1182000&r2=1182001&view=diff
==============================================================================
---
hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
(original)
+++
hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
Tue Oct 11 18:24:48 2011
@@ -207,6 +207,7 @@ public class TestHadoop20SAuthBridge ext
//kerberos, this needs to be done
HadoopThriftAuthBridge20S.Server.authenticationMethod
.set(AuthenticationMethod.KERBEROS);
+
HadoopThriftAuthBridge20S.Server.remoteAddress.set(InetAddress.getLocalHost());
return
HiveMetaStore.getDelegationToken(ownerUgi.getShortUserName(),
realUgi.getShortUserName());
