Repository: hive Updated Branches: refs/heads/master cc2d0f036 -> 833a7d158
HIVE-13418 : HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits (Thejas Nair, reviewed by Vaibhav Gumashta) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/833a7d15 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/833a7d15 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/833a7d15 Branch: refs/heads/master Commit: 833a7d158b3a8e45f492e7c82640c1a367d79b30 Parents: cc2d0f0 Author: Thejas Nair <the...@hortonworks.com> Authored: Thu Apr 14 17:43:18 2016 -0700 Committer: Thejas Nair <the...@hortonworks.com> Committed: Thu Apr 14 17:43:18 2016 -0700 ---------------------------------------------------------------------- .../cli/thrift/TestThriftBinaryCLIService.java | 92 ------- .../cli/thrift/TestThriftHttpCLIService.java | 241 ------------------- .../java/org/apache/hadoop/hive/ql/Driver.java | 1 + .../hadoop/hive/ql/processors/CommandUtil.java | 1 + .../AuthorizationMetaStoreFilterHook.java | 1 + .../authorization/plugin/QueryContext.java | 19 +- .../hadoop/hive/ql/session/SessionState.java | 10 + .../cli/operation/MetadataOperation.java | 1 + .../service/cli/session/HiveSessionImpl.java | 2 + .../service/cli/session/SessionManager.java | 21 +- .../service/cli/thrift/ThriftHttpServlet.java | 17 ++ .../cli/thrift/ThriftCLIServiceTest.java | 4 +- 12 files changed, 68 insertions(+), 342 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftBinaryCLIService.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftBinaryCLIService.java b/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftBinaryCLIService.java deleted file mode 100644 index de31699..0000000 --- a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftBinaryCLIService.java +++ /dev/null @@ -1,92 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hive.service.cli.thrift; - -import static org.junit.Assert.assertNotNull; - -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; - - -/** - * - * TestThriftBinaryCLIService. - * This tests ThriftCLIService started in binary mode. - * - */ - -public class TestThriftBinaryCLIService extends ThriftCLIServiceTest { - - private static String transportMode = "binary"; - - /** - * @throws java.lang.Exception - */ - @BeforeClass - public static void setUpBeforeClass() throws Exception { - // Set up the base class - ThriftCLIServiceTest.setUpBeforeClass(); - - assertNotNull(port); - assertNotNull(hiveServer2); - assertNotNull(hiveConf); - - hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); - hiveConf.setVar(ConfVars.HIVE_SERVER2_THRIFT_BIND_HOST, host); - hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_PORT, port); - hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, AuthTypes.NONE.toString()); - hiveConf.setVar(ConfVars.HIVE_SERVER2_TRANSPORT_MODE, transportMode); - - startHiveServer2WithConf(hiveConf); - - client = getServiceClientInternal(); - } - - /** - * @throws java.lang.Exception - */ - @AfterClass - public static void tearDownAfterClass() throws Exception { - ThriftCLIServiceTest.tearDownAfterClass(); - } - - /** - * @throws java.lang.Exception - */ - @Override - @Before - public void setUp() throws Exception { - - } - - /** - * @throws java.lang.Exception - */ - @Override - @After - public void tearDown() throws Exception { - - } - - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java b/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java deleted file mode 100644 index 3ed6dd8..0000000 --- a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java +++ /dev/null @@ -1,241 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hive.service.cli.thrift; - -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Map; - -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hive.jdbc.HttpBasicAuthInterceptor; -import org.apache.hive.service.auth.HiveAuthFactory; -import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; -import org.apache.hive.service.rpc.thrift.TCLIService; -import org.apache.hive.service.rpc.thrift.TOpenSessionReq; -import org.apache.http.HttpException; -import org.apache.http.HttpRequest; -import org.apache.http.client.CookieStore; -import org.apache.http.impl.client.DefaultHttpClient; -import org.apache.http.protocol.HttpContext; -import org.apache.thrift.protocol.TBinaryProtocol; -import org.apache.thrift.protocol.TProtocol; -import org.apache.thrift.transport.THttpClient; -import org.apache.thrift.transport.TTransport; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -/** - * - * TestThriftHttpCLIService. - * This tests ThriftCLIService started in http mode. - * - */ - -public class TestThriftHttpCLIService extends ThriftCLIServiceTest { - - private static String transportMode = "http"; - private static String thriftHttpPath = "cliservice"; - - /** - * HttpBasicAuthInterceptorWithLogging - * This adds httpRequestHeaders to the BasicAuthInterceptor - */ - public class HttpBasicAuthInterceptorWithLogging extends HttpBasicAuthInterceptor { - - ArrayList<String> requestHeaders; - - public HttpBasicAuthInterceptorWithLogging(String username, - String password, CookieStore cookieStore, String cn, boolean isSSL, - Map<String, String> additionalHeaders) { - super(username, password, cookieStore, cn, isSSL, additionalHeaders); - requestHeaders = new ArrayList<String>(); - } - - @Override - public void process(HttpRequest httpRequest, HttpContext httpContext) - throws HttpException, IOException { - super.process(httpRequest, httpContext); - - String currHeaders = ""; - - for (org.apache.http.Header h : httpRequest.getAllHeaders()) { - currHeaders += h.getName() + ":" + h.getValue() + " "; - } - requestHeaders.add(currHeaders); - } - - public ArrayList<String> getRequestHeaders() { - return requestHeaders; - } - } - - /** - * @throws java.lang.Exception - */ - @BeforeClass - public static void setUpBeforeClass() throws Exception { - // Set up the base class - ThriftCLIServiceTest.setUpBeforeClass(); - - assertNotNull(port); - assertNotNull(hiveServer2); - assertNotNull(hiveConf); - - hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); - hiveConf.setVar(ConfVars.HIVE_SERVER2_THRIFT_BIND_HOST, host); - hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_PORT, port); - hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, AuthTypes.NOSASL.toString()); - hiveConf.setVar(ConfVars.HIVE_SERVER2_TRANSPORT_MODE, transportMode); - hiveConf.setVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_PATH, thriftHttpPath); - - startHiveServer2WithConf(hiveConf); - - client = getServiceClientInternal(); - } - - /** - * @throws java.lang.Exception - */ - @AfterClass - public static void tearDownAfterClass() throws Exception { - ThriftCLIServiceTest.tearDownAfterClass(); - } - - /** - * @throws java.lang.Exception - */ - @Override - @Before - public void setUp() throws Exception { - - } - - /** - * @throws java.lang.Exception - */ - @Override - @After - public void tearDown() throws Exception { - - } - - @Test - /** - * Tests calls from a raw (NOSASL) binary client, - * to a HiveServer2 running in http mode. - * This should throw an expected exception due to incompatibility. - * @throws Exception - */ - public void testBinaryClientHttpServer() throws Exception { - TTransport transport = getRawBinaryTransport(); - TCLIService.Client rawBinaryClient = getClient(transport); - - // This will throw an expected exception since client-server modes are incompatible - testOpenSessionExpectedException(rawBinaryClient); - } - - /** - * Configure a wrong service endpoint for the client transport, - * and test for error. - * @throws Exception - */ - @Test - public void testIncorrectHttpPath() throws Exception { - thriftHttpPath = "wrongPath"; - TTransport transport = getHttpTransport(); - TCLIService.Client httpClient = getClient(transport); - - // This will throw an expected exception since - // client is communicating with the wrong http service endpoint - testOpenSessionExpectedException(httpClient); - - // Reset to correct http path - thriftHttpPath = "cliservice"; - } - - private void testOpenSessionExpectedException(TCLIService.Client client) { - boolean caughtEx = false; - // Create a new open session request object - TOpenSessionReq openReq = new TOpenSessionReq(); - try { - client.OpenSession(openReq).getSessionHandle(); - } catch (Exception e) { - caughtEx = true; - System.out.println("Exception expected: " + e.toString()); - } - assertTrue("Exception expected", caughtEx); - } - - private TCLIService.Client getClient(TTransport transport) throws Exception { - // Create the corresponding client - TProtocol protocol = new TBinaryProtocol(transport); - return new TCLIService.Client(protocol); - } - - private TTransport getRawBinaryTransport() throws Exception { - return HiveAuthFactory.getSocketTransport(host, port, 0); - } - - private static TTransport getHttpTransport() throws Exception { - DefaultHttpClient httpClient = new DefaultHttpClient(); - String httpUrl = transportMode + "://" + host + ":" + port + - "/" + thriftHttpPath + "/"; - httpClient.addRequestInterceptor( - new HttpBasicAuthInterceptor(USERNAME, PASSWORD, null, null, false, null)); - return new THttpClient(httpUrl, httpClient); - } - - /** - * Test additional http headers passed to request interceptor. - * @throws Exception - */ - @Test - public void testAdditionalHttpHeaders() throws Exception { - TTransport transport; - DefaultHttpClient hClient = new DefaultHttpClient(); - String httpUrl = transportMode + "://" + host + ":" + port + - "/" + thriftHttpPath + "/"; - Map<String, String> additionalHeaders = new HashMap<String, String>(); - additionalHeaders.put("key1", "value1"); - additionalHeaders.put("key2", "value2"); - HttpBasicAuthInterceptorWithLogging authInt = - new HttpBasicAuthInterceptorWithLogging(USERNAME, PASSWORD, null, null, - false, additionalHeaders); - hClient.addRequestInterceptor(authInt); - transport = new THttpClient(httpUrl, hClient); - TCLIService.Client httpClient = getClient(transport); - - // Create a new open session request object - TOpenSessionReq openReq = new TOpenSessionReq(); - httpClient.OpenSession(openReq).getSessionHandle(); - ArrayList<String> headers = authInt.getRequestHeaders(); - - for (String h : headers) { - assertTrue(h.contains("key1:value1")); - assertTrue(h.contains("key2:value2")); - } - } -} http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/ql/src/java/org/apache/hadoop/hive/ql/Driver.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index bd510d6..92c2c76 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -848,6 +848,7 @@ public class Driver implements CommandProcessor { */ QueryContext.Builder authzContextBuilder = new QueryContext.Builder(); + authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java index 7971dab..9288ee2 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java @@ -82,6 +82,7 @@ class CommandUtil { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); QueryContext.Builder ctxBuilder = new QueryContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); + ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); } http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java index a9ad015..20367da 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java @@ -74,6 +74,7 @@ public class AuthorizationMetaStoreFilterHook extends DefaultMetaStoreFilterHook private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); QueryContext.Builder authzContextBuilder = new QueryContext.Builder(); + authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java index 318343c..17f8913 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java @@ -17,6 +17,8 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; +import java.util.List; + import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; @@ -31,6 +33,7 @@ public final class QueryContext { public static class Builder { private String commandString; + private List<String> forwardedAddresses; public String getCommandString() { return commandString; @@ -38,24 +41,38 @@ public final class QueryContext { public void setCommandString(String commandString) { this.commandString = commandString; } + + public List<String> getForwardedAddresses() { + return forwardedAddresses; + } + public void setForwardedAddresses(List<String> forwardedAddresses) { + this.forwardedAddresses = forwardedAddresses; + } + public QueryContext build(){ return new QueryContext(this); } } private final String commandString; + private final List<String> forwardedAddresses; private QueryContext(Builder builder) { this.commandString = builder.commandString; + this.forwardedAddresses = builder.forwardedAddresses; } public String getCommandString() { return commandString; } + public List<String> getForwardedAddresses() { + return forwardedAddresses; + } + @Override public String toString() { - return "QueryContext [commandString=" + commandString + "]"; + return "QueryContext [commandString=" + commandString + ", forwardedAddresses=" + forwardedAddresses + "]"; } } http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index ca18247..2b15c23 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -275,6 +275,8 @@ public class SessionState { private final ResourceDownloader resourceDownloader; + private List<String> forwardedAddresses; + /** * Get the lineage state stored in this session. * @@ -1677,6 +1679,14 @@ public class SessionState { public ResourceDownloader getResourceDownloader() { return resourceDownloader; } + + public void setForwardedAddresses(List<String> forwardedAddresses) { + this.forwardedAddresses = forwardedAddresses; + } + + public List<String> getForwardedAddresses() { + return forwardedAddresses; + } } class ResourceMaps { http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java index c4a7e69..77228fa 100644 --- a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java +++ b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java @@ -135,6 +135,7 @@ public abstract class MetadataOperation extends Operation { String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); QueryContext.Builder ctxBuilder = new QueryContext.Builder(); + ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java b/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java index 80a1844..0f36cd6 100644 --- a/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java +++ b/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java @@ -159,6 +159,7 @@ public class HiveSessionImpl implements HiveSession { sessionState = new SessionState(hiveConf, username); sessionState.setUserIpAddress(ipAddress); sessionState.setIsHiveServerQuery(true); + sessionState.setForwardedAddresses(SessionManager.getForwardedAddresses()); SessionState.start(sessionState); try { sessionState.reloadAuxJars(); @@ -326,6 +327,7 @@ public class HiveSessionImpl implements HiveSession { // Need to make sure that the this HiveServer2's session's SessionState is // stored in the thread local for the handler thread. SessionState.setCurrentSessionState(sessionState); + sessionState.setForwardedAddresses(SessionManager.getForwardedAddresses()); if (userAccess) { lastAccessTime = System.currentTimeMillis(); } http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/service/src/java/org/apache/hive/service/cli/session/SessionManager.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java index 79eddd9..ad8678e 100644 --- a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java +++ b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java @@ -395,12 +395,7 @@ public class SessionManager extends CompositeService { return operationManager; } - private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() { - @Override - protected String initialValue() { - return null; - } - }; + private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>(); public static void setIpAddress(String ipAddress) { threadLocalIpAddress.set(ipAddress); @@ -414,6 +409,20 @@ public class SessionManager extends CompositeService { return threadLocalIpAddress.get(); } + private static ThreadLocal<List<String>> threadLocalForwardedAddresses = new ThreadLocal<List<String>>(); + + public static void setForwardedAddresses(List<String> ipAddress) { + threadLocalForwardedAddresses.set(ipAddress); + } + + public static void clearForwardedAddresses() { + threadLocalForwardedAddresses.remove(); + } + + public static List<String> getForwardedAddresses() { + return threadLocalForwardedAddresses.get(); + } + private static ThreadLocal<String> threadLocalUserName = new ThreadLocal<String>(){ @Override protected String initialValue() { http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index 7e12fae..74d73b7 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -20,7 +20,11 @@ package org.apache.hive.service.cli.thrift; import java.io.IOException; import java.io.UnsupportedEncodingException; +import java.net.InetAddress; import java.security.PrivilegedExceptionAction; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Map; import java.util.Random; import java.util.Set; @@ -87,6 +91,7 @@ public class ThriftHttpServlet extends TServlet { private boolean isHttpOnlyCookie; private final HiveAuthFactory hiveAuthFactory; private static final String HIVE_DELEGATION_TOKEN_HEADER = "X-Hive-Delegation-Token"; + private static final String X_FORWARDED_FOR = "X-Forwarded-For"; public ThriftHttpServlet(TProcessor processor, TProtocolFactory protocolFactory, String authType, UserGroupInformation serviceUGI, UserGroupInformation httpUGI, @@ -166,6 +171,17 @@ public class ThriftHttpServlet extends TServlet { LOG.debug("Client IP Address: " + clientIpAddress); // Set the thread local ip address SessionManager.setIpAddress(clientIpAddress); + + // get forwarded hosts address + String forwarded_for = request.getHeader(X_FORWARDED_FOR); + if (forwarded_for != null) { + LOG.debug("{}:{}", X_FORWARDED_FOR, forwarded_for); + List<String> forwardedAddresses = Arrays.asList(forwarded_for.split(",")); + SessionManager.setForwardedAddresses(forwardedAddresses); + } else { + SessionManager.setForwardedAddresses(Collections.<String>emptyList()); + } + // Generate new cookie and add it to the response if (requireNewCookie && !authType.equalsIgnoreCase(HiveAuthFactory.AuthTypes.NOSASL.toString())) { @@ -195,6 +211,7 @@ public class ThriftHttpServlet extends TServlet { SessionManager.clearUserName(); SessionManager.clearIpAddress(); SessionManager.clearProxyUserName(); + SessionManager.clearForwardedAddresses(); } } http://git-wip-us.apache.org/repos/asf/hive/blob/833a7d15/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java ---------------------------------------------------------------------- diff --git a/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java b/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java index 630cfc9..1740079 100644 --- a/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java +++ b/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java @@ -73,7 +73,7 @@ public abstract class ThriftCLIServiceTest { stopHiveServer2(); } - protected static void startHiveServer2WithConf(HiveConf hiveConf) throws Exception { + static void startHiveServer2WithConf(HiveConf hiveConf) throws Exception { hiveServer2.init(hiveConf); // Start HiveServer2 with given config // Fail if server doesn't start @@ -94,7 +94,7 @@ public abstract class ThriftCLIServiceTest { } } - protected static ThriftCLIServiceClient getServiceClientInternal() { + static ThriftCLIServiceClient getServiceClientInternal() { for (Service service : hiveServer2.getServices()) { if (service instanceof ThriftBinaryCLIService) { return new ThriftCLIServiceClient((ThriftBinaryCLIService) service);