HIVE-15896 : LLAP: improved failures when security is set up incorrectly (Sergey Shelukhin, reviewed by Jason Dere)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/69437277 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/69437277 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/69437277 Branch: refs/heads/master Commit: 694372770ba4a96741af07e93b7d4ce9f26ca51a Parents: 9589126 Author: Sergey Shelukhin <[email protected]> Authored: Mon Feb 13 19:02:44 2017 -0800 Committer: Sergey Shelukhin <[email protected]> Committed: Mon Feb 13 19:02:44 2017 -0800 ---------------------------------------------------------------------- .../hadoop/hive/llap/security/SecretManager.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/69437277/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java ---------------------------------------------------------------------- diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java index 345156f..08f8b32 100644 --- a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java +++ b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java @@ -50,17 +50,29 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent implements SigningSecretManager { private static final Logger LOG = LoggerFactory.getLogger(SecretManager.class); private static final String DISABLE_MESSAGE = - "Set " + ConfVars.LLAP_VALIDATE_ACLS.varname + " to false to disable ACL validation"; + "Set " + ConfVars.LLAP_VALIDATE_ACLS.varname + " to false to disable ACL validation (note" + + " that invalid ACLs on secret key paths would mean that security is compromised)"; private final Configuration conf; private final String clusterId; public SecretManager(Configuration conf, String clusterId) { - super(conf); + super(validateConfigBeforeCtor(conf)); this.clusterId = clusterId; this.conf = conf; checkForZKDTSMBug(); } + private static Configuration validateConfigBeforeCtor(Configuration conf) { + setCurator(null); // Ensure there's no threadlocal. We don't expect one. + // We don't ever want to create key paths with world visibility. Why is that even an option?!! + String authType = conf.get(ZK_DTSM_ZK_AUTH_TYPE); + if (!"sasl".equals(authType)) { + throw new RuntimeException("Inconsistent configuration: secure cluster, but ZK auth is " + + authType + " instead of sasl"); + } + return conf; + } + @Override public void startThreads() throws IOException { String principalUser = LlapUtil.getUserNameFromPrincipal( @@ -172,7 +184,8 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent String zkPath = "zkdtsm_" + clusterId; LOG.info("Using {} as ZK secret manager path", zkPath); zkConf.set(SecretManager.ZK_DTSM_ZNODE_WORKING_PATH, zkPath); - setZkConfIfNotSet(zkConf, SecretManager.ZK_DTSM_ZK_AUTH_TYPE, "sasl"); + // Hardcode SASL here. ZKDTSM only supports none or sasl and we never want none. + zkConf.set(SecretManager.ZK_DTSM_ZK_AUTH_TYPE, "sasl"); setZkConfIfNotSet(zkConf, SecretManager.ZK_DTSM_ZK_CONNECTION_STRING, HiveConf.getVar(zkConf, ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING));
