HIVE-13135: LLAP: HTTPS Webservices needs trusted keystore configs (Gopal V, reviewed by Sergey Shelukhin)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/4984714d Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/4984714d Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/4984714d Branch: refs/heads/llap Commit: 4984714d53e1d8cf77427d9d5ced4dc15d008131 Parents: c1c1a4a Author: Gopal V <[email protected]> Authored: Thu Feb 25 22:28:09 2016 -0800 Committer: Gopal V <[email protected]> Committed: Thu Feb 25 22:28:09 2016 -0800 ---------------------------------------------------------------------- .../hadoop/hive/llap/cli/LlapServiceDriver.java | 2 +- .../configuration/LlapDaemonConfiguration.java | 12 +++++++- .../llap/daemon/services/impl/LlapWebApp.java | 29 -------------------- .../daemon/services/impl/LlapWebServices.java | 11 ++++++-- 4 files changed, 21 insertions(+), 33 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/4984714d/llap-server/src/java/org/apache/hadoop/hive/llap/cli/LlapServiceDriver.java ---------------------------------------------------------------------- diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/cli/LlapServiceDriver.java b/llap-server/src/java/org/apache/hadoop/hive/llap/cli/LlapServiceDriver.java index 8fdec2f..46edc42 100644 --- a/llap-server/src/java/org/apache/hadoop/hive/llap/cli/LlapServiceDriver.java +++ b/llap-server/src/java/org/apache/hadoop/hive/llap/cli/LlapServiceDriver.java @@ -63,7 +63,7 @@ public class LlapServiceDriver { "org.apache.hive.hcatalog.data.JsonSerDe" }; private static final String HBASE_SERDE_CLASS = "org.apache.hadoop.hive.hbase.HBaseSerDe"; private static final String[] NEEDED_CONFIGS = LlapDaemonConfiguration.DAEMON_CONFIGS; - private static final String[] OPTIONAL_CONFIGS = { "ssl-server.xml" }; + private static final String[] OPTIONAL_CONFIGS = LlapDaemonConfiguration.SSL_DAEMON_CONFIGS; /** http://git-wip-us.apache.org/repos/asf/hive/blob/4984714d/llap-server/src/java/org/apache/hadoop/hive/llap/configuration/LlapDaemonConfiguration.java ---------------------------------------------------------------------- diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/configuration/LlapDaemonConfiguration.java b/llap-server/src/java/org/apache/hadoop/hive/llap/configuration/LlapDaemonConfiguration.java index 72340f5..51e8509 100644 --- a/llap-server/src/java/org/apache/hadoop/hive/llap/configuration/LlapDaemonConfiguration.java +++ b/llap-server/src/java/org/apache/hadoop/hive/llap/configuration/LlapDaemonConfiguration.java @@ -16,6 +16,7 @@ package org.apache.hadoop.hive.llap.configuration; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.common.classification.InterfaceAudience; +import org.apache.hadoop.hive.conf.HiveConf; /** * Configuration for LLAP daemon processes only. This should not be used by any clients. @@ -28,12 +29,21 @@ public class LlapDaemonConfiguration extends Configuration { @InterfaceAudience.Private public static final String[] DAEMON_CONFIGS = { /* in specific order */"core-site.xml", "hdfs-site.xml", "yarn-site.xml", "tez-site.xml", "hive-site.xml" }; - + + @InterfaceAudience.Private + public static final String[] SSL_DAEMON_CONFIGS = { "ssl-server.xml" }; + public LlapDaemonConfiguration() { super(false); for (String conf : DAEMON_CONFIGS) { addResource(conf); } + /* load ssl secret configs */ + if (HiveConf.getBoolVar(this, HiveConf.ConfVars.LLAP_DAEMON_WEB_SSL)) { + for (String conf : SSL_DAEMON_CONFIGS) { + addResource(conf); + } + } addResource(LLAP_DAEMON_SITE); } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/hive/blob/4984714d/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebApp.java ---------------------------------------------------------------------- diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebApp.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebApp.java deleted file mode 100644 index 08ac843..0000000 --- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebApp.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hive.llap.daemon.services.impl; - -import org.apache.hadoop.yarn.webapp.WebApp; -import org.apache.hadoop.yarn.webapp.YarnWebParams; - -public class LlapWebApp extends WebApp { - - @Override - public void setup() { - // JMX / config are defaults - } -} http://git-wip-us.apache.org/repos/asf/hive/blob/4984714d/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java ---------------------------------------------------------------------- diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java index 0c6fc3f..afb59c0 100644 --- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java +++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/services/impl/LlapWebServices.java @@ -22,6 +22,7 @@ import java.io.IOException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.llap.configuration.LlapDaemonConfiguration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.service.AbstractService; import org.apache.hive.http.HttpServer; @@ -34,6 +35,8 @@ public class LlapWebServices extends AbstractService { private int port; private HttpServer http; + private boolean useSSL = false; + private boolean useSPNEGO = false; public LlapWebServices() { super("LlapWebServices"); @@ -42,13 +45,17 @@ public class LlapWebServices extends AbstractService { @Override public void serviceInit(Configuration conf) { this.port = HiveConf.getIntVar(conf, ConfVars.LLAP_DAEMON_WEB_PORT); + this.useSSL = HiveConf.getBoolVar(conf, ConfVars.LLAP_DAEMON_WEB_SSL); + this.useSPNEGO = HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH); String bindAddress = "0.0.0.0"; HttpServer.Builder builder = new HttpServer.Builder().setName("llap").setPort(this.port).setHost(bindAddress); builder.setConf(new HiveConf(conf, HiveConf.class)); if (UserGroupInformation.isSecurityEnabled()) { - builder.setUseSSL(true); - if (HiveConf.getBoolVar(conf, ConfVars.LLAP_WEB_AUTO_AUTH)) { + LOG.info("LLAP UI useSSL=" + this.useSSL + ", auto-auth/SPNEGO=" + + this.useSPNEGO + ", port=" + this.port); + builder.setUseSSL(this.useSSL); + if (this.useSPNEGO) { builder.setUseSPNEGO(true); // this setups auth filtering in build() builder.setSPNEGOPrincipal(HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL)); builder.setSPNEGOKeytab(HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE));
