HIVE-11875: JDBC Driver does not honor delegation token mechanism when readings params from ZooKeeper (Vaibhav Gumashta reviewed by Jason Dere)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/514ab795 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/514ab795 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/514ab795 Branch: refs/heads/beeline-cli Commit: 514ab795ffd03a72803f878eac57e3cf82b80045 Parents: 2a65989 Author: Vaibhav Gumashta <[email protected]> Authored: Mon Sep 21 17:00:24 2015 -0700 Committer: Vaibhav Gumashta <[email protected]> Committed: Mon Sep 21 17:00:24 2015 -0700 ---------------------------------------------------------------------- .../hive/jdbc/ZooKeeperHiveClientHelper.java | 32 ++++++++++++++------ 1 file changed, 22 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/514ab795/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java ---------------------------------------------------------------------- diff --git a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java index eeb3cf9..4712d2e 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java +++ b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java @@ -137,20 +137,32 @@ class ZooKeeperHiveClientHelper { && !(connParams.getSessionVars().containsKey(JdbcConnectionParams.USE_SSL))) { connParams.getSessionVars().put(JdbcConnectionParams.USE_SSL, matcher.group(2)); } - // Set authentication configs - // Note that in JDBC driver, we have 3 auth modes: NOSASL, Kerberos and password based - // The use of "JdbcConnectionParams.AUTH_TYPE=JdbcConnectionParams.AUTH_SIMPLE" picks NOSASL - // The presence of "JdbcConnectionParams.AUTH_PRINCIPAL=<principal>" picks Kerberos - // Otherwise password based (which includes NONE, PAM, LDAP, CUSTOM) - if ((matcher.group(1).equals("hive.server2.authentication")) - && !(connParams.getSessionVars().containsKey(JdbcConnectionParams.AUTH_TYPE))) { - if (matcher.group(2).equalsIgnoreCase("NOSASL")) { + /** + * Note: this is pretty messy, but sticking to the current implementation. + * Set authentication configs. Note that in JDBC driver, we have 3 auth modes: NOSASL, + * Kerberos (including delegation token mechanism) and password based. + * The use of JdbcConnectionParams.AUTH_TYPE==JdbcConnectionParams.AUTH_SIMPLE picks NOSASL. + * The presence of JdbcConnectionParams.AUTH_PRINCIPAL==<principal> picks Kerberos. + * If principal is absent, the presence of + * JdbcConnectionParams.AUTH_TYPE==JdbcConnectionParams.AUTH_TOKEN uses delegation token. + * Otherwise password based (which includes NONE, PAM, LDAP, CUSTOM) + */ + if (matcher.group(1).equals("hive.server2.authentication")) { + // NOSASL + if (matcher.group(2).equalsIgnoreCase("NOSASL") + && !(connParams.getSessionVars().containsKey(JdbcConnectionParams.AUTH_TYPE) && connParams + .getSessionVars().get(JdbcConnectionParams.AUTH_TYPE) + .equalsIgnoreCase(JdbcConnectionParams.AUTH_SIMPLE))) { connParams.getSessionVars().put(JdbcConnectionParams.AUTH_TYPE, JdbcConnectionParams.AUTH_SIMPLE); } } - // Set server's kerberos principal - if ((matcher.group(1).equals("hive.server2.authentication.kerberos.principal")) + // KERBEROS + // If delegation token is passed from the client side, do not set the principal + if (matcher.group(2).equalsIgnoreCase("hive.server2.authentication.kerberos.principal") + && !(connParams.getSessionVars().containsKey(JdbcConnectionParams.AUTH_TYPE) && connParams + .getSessionVars().get(JdbcConnectionParams.AUTH_TYPE) + .equalsIgnoreCase(JdbcConnectionParams.AUTH_TOKEN)) && !(connParams.getSessionVars().containsKey(JdbcConnectionParams.AUTH_PRINCIPAL))) { connParams.getSessionVars().put(JdbcConnectionParams.AUTH_PRINCIPAL, matcher.group(2)); }
