Author: ekoifman
Date: Thu Oct 30 19:16:51 2014
New Revision: 1635594
URL: http://svn.apache.org/r1635594
Log:
HIVE-8643 DDL operations via WebHCat with doAs parameter in secure cluster fail
Modified:
hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
Modified:
hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
URL:
http://svn.apache.org/viewvc/hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
---
hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
(original)
+++
hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java
Thu Oct 30 19:16:51 2014
@@ -121,9 +121,9 @@ public class SecureProxySupport {
if (isEnabled) {
args.add("-D");
args.add("hive.metastore.token.signature=" + getHcatServiceStr());
- args.add("-D");
- args.add("proxy.user.name=" + user);
}
+ args.add("-D");
+ args.add("proxy.user.name=" + user);
}
class TokenWrapper {
@@ -140,6 +140,7 @@ public class SecureProxySupport {
ugi.doAs(new PrivilegedExceptionAction<Object>() {
public Object run() throws IOException {
FileSystem fs = FileSystem.get(conf);
+ //todo: according to JavaDoc this seems like private API:
addDelegationToken should be used
twrapper.token = fs.getDelegationToken(ugi.getShortUserName());
return null;
}
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
(original)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java
Thu Oct 30 19:16:51 2014
@@ -30,6 +30,8 @@ import org.apache.hadoop.security.UserGr
* but honours a proxy config setting proxy.user.name instead of the
* current user if set. This allows server processes like webhcat which
* proxy other users to easily specify an override if allowed.
+ *
+ * It is no longer necessary to use this class with WebHCat as of Hive 0.14.
*/
public class ProxyUserAuthenticator extends HadoopDefaultAuthenticator {
Modified:
hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
URL:
http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java?rev=1635594&r1=1635593&r2=1635594&view=diff
==============================================================================
---
hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
(original)
+++
hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
Thu Oct 30 19:16:51 2014
@@ -463,6 +463,16 @@ public abstract class HadoopShimsSecure
@Override
public UserGroupInformation getUGIForConf(Configuration conf) throws
IOException {
+ String doAs = conf.get("proxy.user.name");
+ if(doAs != null && doAs.length() > 0) {
+ /*
+ * this allows doAs (proxy user) to be passed along across process
boundary where
+ * delegation tokens are not supported. For example, a DDL stmt via
WebHCat with
+ * a doAs parameter, forks to 'hcat' which needs to start a Session that
+ * proxies the end user
+ */
+ return UserGroupInformation.createProxyUser(doAs,
UserGroupInformation.getLoginUser());
+ }
return UserGroupInformation.getCurrentUser();
}
