Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java Wed Mar 12 10:41:57 2014 @@ -21,6 +21,8 @@ package org.apache.hive.service.cli; import java.util.List; import java.util.Map; +import org.apache.hive.service.auth.HiveAuthFactory; + /** * EmbeddedCLIServiceClient. @@ -188,4 +190,22 @@ public class EmbeddedCLIServiceClient ex return cliService.fetchResults(opHandle, orientation, maxRows); } + + @Override + public String getDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String owner, String renewer) throws HiveSQLException { + return cliService.getDelegationToken(sessionHandle, authFactory, owner, renewer); + } + + @Override + public void cancelDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException { + cliService.cancelDelegationToken(sessionHandle, authFactory, tokenStr); + } + + @Override + public void renewDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException { + cliService.renewDelegationToken(sessionHandle, authFactory, tokenStr); + } }
Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/ICLIService.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/ICLIService.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/ICLIService.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/ICLIService.java Wed Mar 12 10:41:57 2014 @@ -23,6 +23,8 @@ import java.util.Map; +import org.apache.hive.service.auth.HiveAuthFactory; + public interface ICLIService { public abstract SessionHandle openSession(String username, String password, @@ -91,4 +93,14 @@ public interface ICLIService { public abstract RowSet fetchResults(OperationHandle opHandle) throws HiveSQLException; + public abstract String getDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String owner, String renewer) throws HiveSQLException; + + public abstract void cancelDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException; + + public abstract void renewDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException; + + } Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSession.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSession.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSession.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSession.java Wed Mar 12 10:41:57 2014 @@ -24,6 +24,7 @@ import java.util.Map; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.FetchOrientation; import org.apache.hive.service.cli.GetInfoType; import org.apache.hive.service.cli.GetInfoValue; @@ -183,4 +184,17 @@ public interface HiveSession { public String getUserName(); public void setUserName(String userName); + + public String getIpAddress(); + + public void setIpAddress(String ipAddress); + + public String getDelegationToken(HiveAuthFactory authFactory, String owner, + String renewer) throws HiveSQLException; + + public void cancelDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException; + + public void renewDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException; } Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java Wed Mar 12 10:41:57 2014 @@ -35,7 +35,9 @@ import org.apache.hadoop.hive.ql.exec.Fe import org.apache.hadoop.hive.ql.exec.ListSinkOperator; import org.apache.hadoop.hive.ql.history.HiveHistory; import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hive.common.util.HiveVersionInfo; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.FetchOrientation; import org.apache.hive.service.cli.GetInfoType; import org.apache.hive.service.cli.GetInfoValue; @@ -67,6 +69,7 @@ public class HiveSessionImpl implements private final String password; private final HiveConf hiveConf; private final SessionState sessionState; + private String ipAddress; private static final String FETCH_WORK_SERDE_CLASS = "org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe"; @@ -79,11 +82,12 @@ public class HiveSessionImpl implements private final Set<OperationHandle> opHandleSet = new HashSet<OperationHandle>(); public HiveSessionImpl(TProtocolVersion protocol, String username, String password, - HiveConf serverhiveConf, Map<String, String> sessionConfMap) { + HiveConf serverhiveConf, Map<String, String> sessionConfMap, String ipAddress) { this.username = username; this.password = password; this.sessionHandle = new SessionHandle(protocol); this.hiveConf = new HiveConf(serverhiveConf); + this.ipAddress = ipAddress; //set conf properties specified by user from client side if (sessionConfMap != null) { @@ -418,6 +422,7 @@ public class HiveSessionImpl implements public String getUserName() { return username; } + @Override public void setUserName(String userName) { this.username = userName; @@ -479,4 +484,42 @@ public class HiveSessionImpl implements protected HiveSession getSession() { return this; } + + @Override + public String getIpAddress() { + return ipAddress; + } + + @Override + public void setIpAddress(String ipAddress) { + this.ipAddress = ipAddress; + } + + @Override + public String getDelegationToken(HiveAuthFactory authFactory, String owner, String renewer) + throws HiveSQLException { + HiveAuthFactory.verifyProxyAccess(getUsername(), owner, getIpAddress(), getHiveConf()); + return authFactory.getDelegationToken(owner, renewer); + } + + @Override + public void cancelDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException { + HiveAuthFactory.verifyProxyAccess(getUsername(), getUserFromToken(authFactory, tokenStr), + getIpAddress(), getHiveConf()); + authFactory.cancelDelegationToken(tokenStr); + } + + @Override + public void renewDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException { + HiveAuthFactory.verifyProxyAccess(getUsername(), getUserFromToken(authFactory, tokenStr), + getIpAddress(), getHiveConf()); + authFactory.renewDelegationToken(tokenStr); + } + + // extract the real user from the given token string + private String getUserFromToken(HiveAuthFactory authFactory, String tokenStr) throws HiveSQLException { + return authFactory.getUserFromToken(tokenStr); + } } Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java Wed Mar 12 10:41:57 2014 @@ -26,6 +26,7 @@ import org.apache.hadoop.hive.ql.metadat import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.thrift.TProtocolVersion; @@ -43,8 +44,9 @@ public class HiveSessionImplwithUGI exte private HiveSession proxySession = null; public HiveSessionImplwithUGI(TProtocolVersion protocol, String username, String password, - HiveConf hiveConf, Map<String, String> sessionConf, String delegationToken) throws HiveSQLException { - super(protocol, username, password, hiveConf, sessionConf); + HiveConf hiveConf, Map<String, String> sessionConf, String ipAddress, + String delegationToken) throws HiveSQLException { + super(protocol, username, password, hiveConf, sessionConf, ipAddress); setSessionUGI(username); setDelegationToken(delegationToken); } @@ -148,5 +150,22 @@ public class HiveSessionImplwithUGI exte this.proxySession = proxySession; } + @Override + public String getDelegationToken(HiveAuthFactory authFactory, String owner, + String renewer) throws HiveSQLException { + return authFactory.getDelegationToken(owner, renewer); + } + + @Override + public void cancelDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException { + authFactory.cancelDelegationToken(tokenStr); + } + + @Override + public void renewDelegationToken(HiveAuthFactory authFactory, String tokenStr) + throws HiveSQLException { + authFactory.renewDelegationToken(tokenStr); + } } Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/session/SessionManager.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/session/SessionManager.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/session/SessionManager.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/session/SessionManager.java Wed Mar 12 10:41:57 2014 @@ -18,6 +18,7 @@ package org.apache.hive.service.cli.session; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -31,6 +32,9 @@ import org.apache.commons.logging.LogFac import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.hooks.HookUtils; +import org.apache.hadoop.hive.shims.ShimLoader; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.CompositeService; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.SessionHandle; @@ -101,17 +105,14 @@ public class SessionManager extends Comp public SessionHandle openSession(TProtocolVersion protocol, String username, String password, Map<String, String> sessionConf, boolean withImpersonation, String delegationToken) throws HiveSQLException { - if (username == null) { - username = threadLocalUserName.get(); - } HiveSession session; if (withImpersonation) { HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password, - hiveConf, sessionConf, delegationToken); + hiveConf, sessionConf, threadLocalIpAddress.get(), delegationToken); session = HiveSessionProxy.getProxy(hiveSessionUgi, hiveSessionUgi.getSessionUgi()); hiveSessionUgi.setProxySession(session); } else { - session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf); + session = new HiveSessionImpl(protocol, username, password, hiveConf, sessionConf, threadLocalIpAddress.get()); } session.setSessionManager(this); session.setOperationManager(operationManager); @@ -161,6 +162,10 @@ public class SessionManager extends Comp threadLocalIpAddress.remove(); } + public static String getIpAddress() { + return threadLocalIpAddress.get(); + } + private static ThreadLocal<String> threadLocalUserName = new ThreadLocal<String>(){ @Override protected synchronized String initialValue() { @@ -176,6 +181,10 @@ public class SessionManager extends Comp threadLocalUserName.remove(); } + public static String getUserName() { + return threadLocalUserName.get(); + } + // execute session hooks private void executeSessionHooks(HiveSession session) throws Exception { List<HiveSessionHook> sessionHooks = HookUtils.getHooks(hiveConf, @@ -190,3 +199,4 @@ public class SessionManager extends Comp } } + Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Wed Mar 12 10:41:57 2014 @@ -29,6 +29,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.shims.ShimLoader; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hive.service.AbstractService; import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.CLIService; @@ -41,6 +43,7 @@ import org.apache.hive.service.cli.Opera import org.apache.hive.service.cli.RowSet; import org.apache.hive.service.cli.SessionHandle; import org.apache.hive.service.cli.TableSchema; +import org.apache.hive.service.cli.session.SessionManager; import org.apache.thrift.TException; import org.apache.thrift.server.TServer; @@ -111,6 +114,75 @@ public abstract class ThriftCLIService e super.stop(); } + @Override + public TGetDelegationTokenResp GetDelegationToken(TGetDelegationTokenReq req) + throws TException { + TGetDelegationTokenResp resp = new TGetDelegationTokenResp(); + + if (hiveAuthFactory == null) { + resp.setStatus(unsecureTokenErrorStatus()); + } else { + try { + String token = cliService.getDelegationToken( + new SessionHandle(req.getSessionHandle()), + hiveAuthFactory, req.getOwner(), req.getRenewer()); + resp.setDelegationToken(token); + resp.setStatus(OK_STATUS); + } catch (HiveSQLException e) { + LOG.error("Error obtaining delegation token", e); + TStatus tokenErrorStatus = HiveSQLException.toTStatus(e); + tokenErrorStatus.setSqlState("42000"); + resp.setStatus(tokenErrorStatus); + } + } + return resp; + } + + @Override + public TCancelDelegationTokenResp CancelDelegationToken(TCancelDelegationTokenReq req) + throws TException { + TCancelDelegationTokenResp resp = new TCancelDelegationTokenResp(); + + if (hiveAuthFactory == null) { + resp.setStatus(unsecureTokenErrorStatus()); + } else { + try { + cliService.cancelDelegationToken(new SessionHandle(req.getSessionHandle()), + hiveAuthFactory, req.getDelegationToken()); + resp.setStatus(OK_STATUS); + } catch (HiveSQLException e) { + LOG.error("Error canceling delegation token", e); + resp.setStatus(HiveSQLException.toTStatus(e)); + } + } + return resp; + } + + @Override + public TRenewDelegationTokenResp RenewDelegationToken(TRenewDelegationTokenReq req) + throws TException { + TRenewDelegationTokenResp resp = new TRenewDelegationTokenResp(); + if (hiveAuthFactory == null) { + resp.setStatus(unsecureTokenErrorStatus()); + } else { + try { + cliService.renewDelegationToken(new SessionHandle(req.getSessionHandle()), + hiveAuthFactory, req.getDelegationToken()); + resp.setStatus(OK_STATUS); + } catch (HiveSQLException e) { + LOG.error("Error obtaining renewing token", e); + resp.setStatus(HiveSQLException.toTStatus(e)); + } + } + return resp; + } + + private TStatus unsecureTokenErrorStatus() { + TStatus errorStatus = new TStatus(TStatusCode.ERROR_STATUS); + errorStatus.setErrorMessage("Delegation token only supported over remote " + + "client with kerberos authentication"); + return errorStatus; + } @Override public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException { @@ -129,13 +201,25 @@ public abstract class ThriftCLIService e return resp; } - private String getUserName(TOpenSessionReq req) { + private String getIpAddress() { + if (hiveAuthFactory != null) { + return hiveAuthFactory.getIpAddress(); + } + return SessionManager.getIpAddress(); + } + + private String getUserName(TOpenSessionReq req) throws HiveSQLException { + String userName; if (hiveAuthFactory != null && hiveAuthFactory.getRemoteUser() != null) { - return hiveAuthFactory.getRemoteUser(); + userName = hiveAuthFactory.getRemoteUser(); } else { - return req.getUsername(); + userName = SessionManager.getUserName(); } + if (userName == null) { + userName = req.getUsername(); + } + return getProxyUser(userName, req.getConfiguration(), getIpAddress()); } SessionHandle getSessionHandle(TOpenSessionReq req, TOpenSessionResp res) @@ -145,9 +229,8 @@ public abstract class ThriftCLIService e TProtocolVersion protocol = getMinVersion(CLIService.SERVER_VERSION, req.getClient_protocol()); SessionHandle sessionHandle; - if (cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION) - .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString()) && - cliService.getHiveConf().getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)) { + if (cliService.getHiveConf().getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS) && + (userName != null)) { String delegationTokenStr = null; try { delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName); @@ -420,4 +503,36 @@ public abstract class ThriftCLIService e @Override public abstract void run(); + + /** + * If the proxy user name is provided then check privileges to substitute the user. + * @param realUser + * @param sessionConf + * @param ipAddress + * @return + * @throws HiveSQLException + */ + private String getProxyUser(String realUser, Map<String, String> sessionConf, + String ipAddress) throws HiveSQLException { + if (sessionConf == null || !sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) { + return realUser; + } + + // Extract the proxy user name and check if we are allowed to do the substitution + String proxyUser = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER); + if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ALLOW_USER_SUBSTITUTION)) { + throw new HiveSQLException("Proxy user substitution is not allowed"); + } + + // If there's no authentication, then directly substitute the user + if (HiveAuthFactory.AuthTypes.NONE.toString(). + equalsIgnoreCase(hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION))) { + return proxyUser; + } + + // Verify proxy user privilege of the realUser for the proxyUser + HiveAuthFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hiveConf); + return proxyUser; + } } + Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java Wed Mar 12 10:41:57 2014 @@ -21,6 +21,7 @@ package org.apache.hive.service.cli.thri import java.util.List; import java.util.Map; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.CLIServiceClient; import org.apache.hive.service.cli.FetchOrientation; import org.apache.hive.service.cli.GetInfoType; @@ -33,6 +34,7 @@ import org.apache.hive.service.cli.RowSe import org.apache.hive.service.cli.RowSetFactory; import org.apache.hive.service.cli.SessionHandle; import org.apache.hive.service.cli.TableSchema; +import org.apache.thrift.TException; /** * ThriftCLIServiceClient. @@ -404,4 +406,48 @@ public class ThriftCLIServiceClient exte // TODO: set the correct default fetch size return fetchResults(opHandle, FetchOrientation.FETCH_NEXT, 10000); } + + @Override + public String getDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String owner, String renewer) throws HiveSQLException { + TGetDelegationTokenReq req = new TGetDelegationTokenReq( + sessionHandle.toTSessionHandle(), owner, renewer); + try { + TGetDelegationTokenResp tokenResp = cliService.GetDelegationToken(req); + checkStatus(tokenResp.getStatus()); + return tokenResp.getDelegationToken(); + } catch (Exception e) { + throw new HiveSQLException(e); + } + } + + @Override + public void cancelDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException { + TCancelDelegationTokenReq cancelReq = new TCancelDelegationTokenReq( + sessionHandle.toTSessionHandle(), tokenStr); + try { + TCancelDelegationTokenResp cancelResp = + cliService.CancelDelegationToken(cancelReq); + checkStatus(cancelResp.getStatus()); + return; + } catch (TException e) { + throw new HiveSQLException(e); + } + } + + @Override + public void renewDelegationToken(SessionHandle sessionHandle, HiveAuthFactory authFactory, + String tokenStr) throws HiveSQLException { + TRenewDelegationTokenReq cancelReq = new TRenewDelegationTokenReq( + sessionHandle.toTSessionHandle(), tokenStr); + try { + TRenewDelegationTokenResp renewResp = + cliService.RenewDelegationToken(cancelReq); + checkStatus(renewResp.getStatus()); + return; + } catch (Exception e) { + throw new HiveSQLException(e); + } + } } Modified: hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java (original) +++ hive/trunk/service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java Wed Mar 12 10:41:57 2014 @@ -45,6 +45,6 @@ public class TestPlainSaslHelper extends tcliService.init(hconf); TProcessorFactory procFactory = PlainSaslHelper.getPlainProcessorFactory(tcliService); assertEquals("doAs enabled processor for unsecure mode", - procFactory.getProcessor(null).getClass(), TUGIContainingProcessor.class); + procFactory.getProcessor(null).getClass(), TSetIpAddressProcessor.class); } } Modified: hive/trunk/service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java (original) +++ hive/trunk/service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java Wed Mar 12 10:41:57 2014 @@ -19,12 +19,16 @@ package org.apache.hive.service.cli.session; import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import java.util.concurrent.atomic.AtomicInteger; import junit.framework.Assert; import junit.framework.TestCase; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.SessionHandle; import org.apache.hive.service.cli.thrift.EmbeddedThriftBinaryCLIService; @@ -34,7 +38,7 @@ import org.junit.Test; public class TestSessionHooks extends TestCase { - public static final String SESSION_USER_NAME = "user1"; + private static String sessionUserName = "user1"; private EmbeddedThriftBinaryCLIService service; private ThriftCLIServiceClient client; @@ -44,7 +48,7 @@ public class TestSessionHooks extends Te @Override public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException { - Assert.assertEquals(sessionHookContext.getSessionUser(), SESSION_USER_NAME); + Assert.assertEquals(sessionHookContext.getSessionUser(), sessionUserName); String sessionHook = sessionHookContext.getSessionConf(). getVar(ConfVars.HIVE_SERVER2_SESSION_HOOK); Assert.assertTrue(sessionHook.contains(this.getClass().getName())); @@ -56,18 +60,36 @@ public class TestSessionHooks extends Te @Before public void setUp() throws Exception { super.setUp(); + SessionHookTest.runCount.set(0); System.setProperty(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname, TestSessionHooks.SessionHookTest.class.getName()); service = new EmbeddedThriftBinaryCLIService(); + service.init(new HiveConf()); client = new ThriftCLIServiceClient(service); } @Test public void testSessionHook () throws Exception { // create session, test if the hook got fired by checking the expected property - SessionHandle sessionHandle = client.openSession(SESSION_USER_NAME, "foobar", + SessionHandle sessionHandle = client.openSession(sessionUserName, "foobar", Collections.<String, String>emptyMap()); Assert.assertEquals(1, SessionHookTest.runCount.get()); client.closeSession(sessionHandle); } + + /*** + * Create session with proxy user property. Verify the effective session user + * @throws Exception + */ + @Test + public void testProxyUser() throws Exception { + String connectingUser = "user1"; + String proxyUser = System.getProperty("user.name"); + Map<String, String>sessConf = new HashMap<String,String>(); + sessConf.put(HiveAuthFactory.HS2_PROXY_USER, proxyUser); + sessionUserName = proxyUser; + SessionHandle sessionHandle = client.openSession(connectingUser, "foobar", sessConf); + Assert.assertEquals(1, SessionHookTest.runCount.get()); + client.closeSession(sessionHandle); + } } Modified: hive/trunk/shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java (original) +++ hive/trunk/shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java Wed Mar 12 10:41:57 2014 @@ -556,6 +556,12 @@ public class Hadoop20Shims implements Ha } @Override + public String addServiceToToken(String tokenStr, String tokenService) throws IOException { + throw new UnsupportedOperationException("Tokens are not supported in current hadoop version"); + } + + + @Override public <T> T doAs(UserGroupInformation ugi, PrivilegedExceptionAction<T> pvea) throws IOException, InterruptedException { try { @@ -637,6 +643,11 @@ public class Hadoop20Shims implements Ha } @Override + public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, + String ipAddress, Configuration conf) throws IOException { + // This hadoop version doesn't have proxy verification + } + public boolean isSecurityEnabled() { return false; } Modified: hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java (original) +++ hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java Wed Mar 12 10:41:57 2014 @@ -64,6 +64,7 @@ import org.apache.hadoop.mapreduce.Job; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenSelector; @@ -459,12 +460,39 @@ public abstract class HadoopShimsSecure return token != null ? token.encodeToUrlString() : null; } + /** + * Create a delegation token object for the given token string and service. + * Add the token to given UGI + */ @Override public void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) throws IOException { + Token<DelegationTokenIdentifier> delegationToken = createToken(tokenStr, tokenService); + ugi.addToken(delegationToken); + } + + /** + * Add a given service to delegation token string. + */ + @Override + public String addServiceToToken(String tokenStr, String tokenService) + throws IOException { + Token<DelegationTokenIdentifier> delegationToken = createToken(tokenStr, tokenService); + return delegationToken.encodeToUrlString(); + } + + /** + * Create a new token using the given string and service + * @param tokenStr + * @param tokenService + * @return + * @throws IOException + */ + private Token<DelegationTokenIdentifier> createToken(String tokenStr, String tokenService) + throws IOException { Token<DelegationTokenIdentifier> delegationToken = new Token<DelegationTokenIdentifier>(); delegationToken.decodeFromUrlString(tokenStr); delegationToken.setService(new Text(tokenService)); - ugi.addToken(delegationToken); + return delegationToken; } @Override @@ -498,6 +526,13 @@ public abstract class HadoopShimsSecure } @Override + public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, + String ipAddress, Configuration conf) throws IOException { + ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, realUserUgi), + ipAddress, conf); + } + + @Override public boolean isSecurityEnabled() { return UserGroupInformation.isSecurityEnabled(); } Modified: hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java (original) +++ hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java Wed Mar 12 10:41:57 2014 @@ -18,6 +18,8 @@ package org.apache.hadoop.hive.thrift; +import java.io.ByteArrayInputStream; +import java.io.DataInputStream; import java.io.IOException; import org.apache.hadoop.io.Text; @@ -83,5 +85,16 @@ public class DelegationTokenSecretManage ident, this); return t.encodeToUrlString(); } + + public String getUserFromToken(String tokenStr) throws IOException { + Token<DelegationTokenIdentifier> delegationToken = new Token<DelegationTokenIdentifier>(); + delegationToken.decodeFromUrlString(tokenStr); + + ByteArrayInputStream buf = new ByteArrayInputStream(delegationToken.getIdentifier()); + DataInputStream in = new DataInputStream(buf); + DelegationTokenIdentifier id = createIdentifier(); + id.readFields(in); + return id.getUser().getShortUserName(); + } } Modified: hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java (original) +++ hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java Wed Mar 12 10:41:57 2014 @@ -43,6 +43,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; @@ -401,6 +402,13 @@ import org.apache.thrift.transport.TTran } @Override + public String getDelegationTokenWithService(String owner, String renewer, String service) + throws IOException, InterruptedException { + String token = getDelegationToken(owner, renewer); + return ShimLoader.getHadoopShims().addServiceToToken(token, service); + } + + @Override public long renewDelegationToken(String tokenStrForm) throws IOException { if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) { throw new AuthorizationException( @@ -412,6 +420,11 @@ import org.apache.thrift.transport.TTran } @Override + public String getUserFromToken(String tokenStr) throws IOException { + return secretManager.getUserFromToken(tokenStr); + } + + @Override public void cancelDelegationToken(String tokenStrForm) throws IOException { secretManager.cancelDelegationToken(tokenStrForm); } Modified: hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java (original) +++ hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java Wed Mar 12 10:41:57 2014 @@ -230,7 +230,7 @@ public interface HadoopShims { * @return the string form of the token found * @throws IOException */ - String getTokenStrForm(String tokenSignature) throws IOException; + public String getTokenStrForm(String tokenSignature) throws IOException; /** * Add a delegation token to the given ugi @@ -239,9 +239,18 @@ public interface HadoopShims { * @param tokenService * @throws IOException */ - void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) + public void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) throws IOException; + /** + * Add given service to the string format token + * @param tokenStr + * @param tokenService + * @return + * @throws IOException + */ + public String addServiceToToken(String tokenStr, String tokenService) + throws IOException; enum JobTrackerState { INITIALIZING, RUNNING }; @@ -347,7 +356,14 @@ public interface HadoopShims { * @param userName * @return */ - UserGroupInformation createProxyUser(String userName) throws IOException; + public UserGroupInformation createProxyUser(String userName) throws IOException; + + /** + * Verify proxy access to given UGI for given user + * @param ugi + */ + public void authorizeProxyAccess(String proxyUser, UserGroupInformation realUserUgi, + String ipAddress, Configuration conf) throws IOException; /** * The method sets to set the partition file has a different signature between Modified: hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java?rev=1576685&r1=1576684&r2=1576685&view=diff ============================================================================== --- hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java (original) +++ hive/trunk/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java Wed Mar 12 10:41:57 2014 @@ -91,11 +91,14 @@ import org.apache.thrift.transport.TTran public abstract InetAddress getRemoteAddress(); public abstract void startDelegationTokenSecretManager(Configuration conf, Object hmsHandler) throws IOException; - public abstract String getRemoteUser(); public abstract String getDelegationToken(String owner, String renewer) - throws IOException, InterruptedException; + throws IOException, InterruptedException; + public abstract String getDelegationTokenWithService(String owner, String renewer, String service) + throws IOException, InterruptedException; + public abstract String getRemoteUser(); public abstract long renewDelegationToken(String tokenStrForm) throws IOException; public abstract void cancelDelegationToken(String tokenStrForm) throws IOException; + public abstract String getUserFromToken(String tokenStr) throws IOException; } }
