This is an automated email from the ASF dual-hosted git repository.
prasanthj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 67240e7 Revert "HIVE-21783: Avoid authentication for connection from
the same domain (Ashutosh Bapat reviewed by Olli Draese, Prasanth Jayachandran)"
67240e7 is described below
commit 67240e7810387d741e39a07f7acbdc7f4fb0b4bb
Author: Prasanth Jayachandran <prasan...@apache.org>
AuthorDate: Sat Jun 15 19:55:35 2019 -0700
Revert "HIVE-21783: Avoid authentication for connection from the same
domain (Ashutosh Bapat reviewed by Olli Draese, Prasanth Jayachandran)"
This reverts commit 24313ab962b2881317bdcb50e67e90d3da3a5cc2.
---
.../java/org/apache/hadoop/hive/conf/HiveConf.java | 8 -
.../java/org/apache/hive/minikdc/MiniHiveKdc.java | 23 +--
...estImproperTrustDomainAuthenticationBinary.java | 28 ---
.../TestImproperTrustDomainAuthenticationHttp.java | 28 ---
.../auth/TestTrustDomainAuthenticationBinary.java | 28 ---
.../auth/TestTrustDomainAuthenticationHttp.java | 28 ---
.../auth/TrustDomainAuthenticationTest.java | 192 ---------------------
.../apache/hive/service/auth/HiveAuthFactory.java | 5 -
.../apache/hive/service/auth/PlainSaslHelper.java | 54 ------
.../hive/service/cli/thrift/ThriftHttpServlet.java | 53 ++----
10 files changed, 25 insertions(+), 422 deletions(-)
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 03a8019..2cea174 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3478,14 +3478,6 @@ public class HiveConf extends Configuration {
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
- HIVE_SERVER2_TRUSTED_DOMAIN("hive.server2.trusted.domain", "",
- "Specifies the host or a domain to trust connections from.
Authentication is skipped " +
- "for any connection coming from a host whose hostname ends with the
value of this" +
- " property. If authentication is expected to be skipped for
connections from " +
- "only a given host, fully qualified hostname of that host should be
specified. By default" +
- " it is empty, which means that all the connections to HiveServer2 are
authenticated. " +
- "When it is non-empty, the client has to provide a Hive user name. Any
password, if " +
- "provided, will not be used when authentication is skipped."),
HIVE_SERVER2_ALLOW_USER_SUBSTITUTION("hive.server2.allow.user.substitution",
true,
"Allow alternate user to be specified as part of HiveServer2 open
connection request."),
HIVE_SERVER2_KERBEROS_KEYTAB("hive.server2.authentication.kerberos.keytab", "",
diff --git
a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
index e604f90..7d1192a 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/MiniHiveKdc.java
@@ -36,7 +36,6 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hive.jdbc.miniHS2.MiniHS2;
import com.google.common.io.Files;
-import org.apache.hive.service.server.HiveServer2;
/**
* Wrapper around Hadoop's MiniKdc for use in hive tests.
@@ -179,21 +178,15 @@ public class MiniHiveKdc {
* @return new MiniHS2 instance
* @throws Exception
*/
- public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf
hiveConf,
+ public static MiniHS2 getMiniHS2WithKerb(MiniHiveKdc miniHiveKdc, HiveConf
hiveConf,
String authType) throws Exception {
- String hivePrincipal =
-
miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
- String hiveKeytab = miniHiveKdc.getKeyTabFile(
-
miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
-
- MiniHS2.Builder miniHS2Builder = new MiniHS2.Builder()
- .withConf(hiveConf)
- .withMiniKdc(hivePrincipal,
hiveKeytab)
-
.withAuthenticationType(authType);
- if (HiveServer2.isHTTPTransportMode(hiveConf)) {
- miniHS2Builder.withHTTPTransport();
- }
- return miniHS2Builder.build();
+ String hivePrincipal =
+
miniHiveKdc.getFullyQualifiedServicePrincipal(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+ String hiveKeytab = miniHiveKdc.getKeyTabFile(
+
miniHiveKdc.getServicePrincipalForUser(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL));
+
+ return new MiniHS2.Builder().withConf(hiveConf).withMiniKdc(hivePrincipal,
hiveKeytab).
+ withAuthenticationType(authType).build();
}
/**
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationBinary.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationBinary.java
deleted file mode 100644
index b7a8bec..0000000
---
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationBinary.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hive.service.auth;
-
-import org.junit.BeforeClass;
-
-public class TestImproperTrustDomainAuthenticationBinary extends
TrustDomainAuthenticationTest {
-
- @BeforeClass
- public static void setUp() throws Exception {
- initialize(HS2_TRANSPORT_MODE_BINARY, false);
- }
-}
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationHttp.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationHttp.java
deleted file mode 100644
index 57bcf4f..0000000
---
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestImproperTrustDomainAuthenticationHttp.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hive.service.auth;
-
-import org.junit.BeforeClass;
-
-public class TestImproperTrustDomainAuthenticationHttp extends
TrustDomainAuthenticationTest {
-
- @BeforeClass
- public static void setUp() throws Exception {
- initialize(HS2_TRANSPORT_MODE_HTTP, false);
- }
-}
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationBinary.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationBinary.java
deleted file mode 100644
index 8f6d0b5..0000000
---
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationBinary.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hive.service.auth;
-
-import org.junit.BeforeClass;
-
-public class TestTrustDomainAuthenticationBinary extends
TrustDomainAuthenticationTest {
-
- @BeforeClass
- public static void setUp() throws Exception {
- initialize(HS2_TRANSPORT_MODE_BINARY, true);
- }
-}
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationHttp.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationHttp.java
deleted file mode 100644
index 50b195a..0000000
---
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TestTrustDomainAuthenticationHttp.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hive.service.auth;
-
-import org.junit.BeforeClass;
-
-public class TestTrustDomainAuthenticationHttp extends
TrustDomainAuthenticationTest {
-
- @BeforeClass
- public static void setUp() throws Exception {
- initialize(HS2_TRANSPORT_MODE_HTTP, true);
- }
-}
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TrustDomainAuthenticationTest.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TrustDomainAuthenticationTest.java
deleted file mode 100644
index 3eba95c..0000000
---
a/itests/hive-unit/src/test/java/org/apache/hive/service/auth/TrustDomainAuthenticationTest.java
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hive.service.auth;
-
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hive.service.server.HiveServer2;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.security.sasl.AuthenticationException;
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.Map;
-
-public class TrustDomainAuthenticationTest {
- private static final Logger LOG =
LoggerFactory.getLogger(TrustDomainAuthenticationTest.class);
- private static HiveServer2 hiveserver2;
- private static HiveConf hiveConf;
- private static byte[] hiveConfBackup;
- private static String correctUser = "hive";
- private static String correctPassword = "passwd";
- private static String wrongPassword = "wrong_password";
- private static String wrongUser = "wrong_user";
- static final String HS2_TRANSPORT_MODE_BINARY = "binary";
- static final String HS2_TRANSPORT_MODE_HTTP = "http";
- private static String hs2TransportMode;
- private static boolean properTrustedDomain;
-
- static void initialize(String transportMode, boolean useProperTrustedDomain)
throws Exception {
- Assert.assertNotNull(transportMode);
- Assert.assertTrue(transportMode.equals(HS2_TRANSPORT_MODE_HTTP) ||
- transportMode.equals(HS2_TRANSPORT_MODE_BINARY));
- hs2TransportMode = transportMode;
- properTrustedDomain = useProperTrustedDomain;
-
- hiveConf = new HiveConf();
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- hiveConf.writeXml(baos);
- baos.close();
- hiveConfBackup = baos.toByteArray();
- hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE,
hs2TransportMode);
- hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION, "CUSTOM");
-
- // These tests run locally and hence all connections are from localhost.
So, when we want to
- // test whether trusted domain setting works, use "localhost". When we
want to test
- // otherwise, use some string other than that. Other authentication tests
test empty trusted
- // domain so that's not covered under these tests.
- hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN,
- properTrustedDomain ? "localhost" : "no_such_domain");
- hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS,
-
"org.apache.hive.service.auth.TrustDomainAuthenticationTest$SimpleAuthenticationProviderImpl");
- FileOutputStream fos = new FileOutputStream(new
File(hiveConf.getHiveSiteLocation().toURI()));
- hiveConf.writeXml(fos);
- fos.close();
- hiveserver2 = new HiveServer2();
- hiveserver2.init(hiveConf);
- hiveserver2.start();
- Thread.sleep(1000);
- LOG.info("hiveServer2 start ......");
- }
-
- @AfterClass
- public static void tearDown() throws Exception {
- if(hiveConf != null && hiveConfBackup != null) {
- FileOutputStream fos = new FileOutputStream(new
File(hiveConf.getHiveSiteLocation().toURI()));
- fos.write(hiveConfBackup);
- fos.close();
- }
- if (hiveserver2 != null) {
- hiveserver2.stop();
- hiveserver2 = null;
- }
- Thread.sleep(1000);
- LOG.info("hiveServer2 stop ......");
- }
-
- // TODO: This test doesn't work since getRemoteHost returns IP address
instead of a host name
- @Test
- public void testTrustedDomainAuthentication() throws Exception {
- String port = "10000";
- String urlExtra = "";
- if (hs2TransportMode.equals(HS2_TRANSPORT_MODE_HTTP)) {
- port = "10001";
- urlExtra = ";transportMode=http;httpPath=cliservice";
- }
-
- String url = "jdbc:hive2://localhost:" + port + "/default" + urlExtra;
- Class.forName("org.apache.hive.jdbc.HiveDriver");
-
- if (properTrustedDomain) {
- testProperTrustedDomainAuthentication(url);
- } else {
- testImproperTrustedDomainAuthentication(url);
- }
- }
-
- private void testProperTrustedDomainAuthentication(String url) throws
SQLException {
- // When the connection is from a trusted domain any connection is
authentic irrespective of
- // user and password
- Connection connection = DriverManager.getConnection(url, correctUser,
correctPassword);
- connection.close();
-
- connection = DriverManager.getConnection(url, wrongUser, correctPassword);
- connection.close();
-
- connection = DriverManager.getConnection(url, wrongUser, wrongPassword);
- connection.close();
-
- connection = DriverManager.getConnection(url, correctUser, wrongPassword);
- connection.close();
- }
-
- private void testImproperTrustedDomainAuthentication(String url) throws
Exception {
- // When trusted domain doesn't match requests domain, only the connection
with correct user
- // and password goes through.
- Connection connection = DriverManager.getConnection(url, correctUser,
correctPassword);
- connection.close();
-
- String partErrorMessage = "Peer indicated failure: Error validating the
login";
- if (hs2TransportMode.equals(HS2_TRANSPORT_MODE_HTTP)) {
- partErrorMessage = "HTTP Response code: 401";
- }
-
- try (Connection conn = DriverManager.getConnection(url, wrongUser,
correctPassword)) {
- Assert.fail("Expected Exception");
- } catch (SQLException e) {
- Assert.assertNotNull(e.getMessage());
- Assert.assertTrue(e.getMessage(),
e.getMessage().contains(partErrorMessage));
- }
-
- try (Connection conn = DriverManager.getConnection(url, wrongUser,
wrongPassword)) {
- Assert.fail("Expected Exception");
- } catch (SQLException e) {
- Assert.assertNotNull(e.getMessage());
- Assert.assertTrue(e.getMessage(),
e.getMessage().contains(partErrorMessage));
- }
-
- try (Connection conn = DriverManager.getConnection(url, correctUser,
wrongPassword)) {
- Assert.fail("Expected Exception");
- } catch (SQLException e) {
- Assert.assertNotNull(e.getMessage());
- Assert.assertTrue(e.getMessage(),
e.getMessage().contains(partErrorMessage));
- }
- }
-
- public static class SimpleAuthenticationProviderImpl implements
PasswdAuthenticationProvider {
-
- private Map<String, String> userMap = new HashMap<String, String>();
-
- public SimpleAuthenticationProviderImpl() {
- init();
- }
-
- private void init(){
- userMap.put(correctUser, correctPassword);
- }
-
- @Override
- public void Authenticate(String user, String password) throws
AuthenticationException {
-
- if(!userMap.containsKey(user)){
- throw new AuthenticationException("Invalid user : "+user);
- }
- if(!userMap.get(user).equals(password)){
- throw new AuthenticationException("Invalid passwd : "+password);
- }
- }
- }
-}
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index e07cd7e..f5f6d49 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -161,11 +161,6 @@ public class HiveAuthFactory {
} else {
throw new LoginException("Unsupported authentication type " +
authTypeStr);
}
-
- String trustedDomain = HiveConf.getVar(conf,
ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN).trim();
- if (!trustedDomain.isEmpty()) {
- transportFactory =
PlainSaslHelper.getDualPlainTransportFactory(transportFactory, trustedDomain);
- }
return transportFactory;
}
diff --git a/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
b/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
index 0742311..13a1a38 100644
--- a/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
+++ b/service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
@@ -18,7 +18,6 @@
package org.apache.hive.service.auth;
import java.io.IOException;
-import java.net.InetAddress;
import java.security.Security;
import java.util.HashMap;
@@ -40,14 +39,10 @@ import org.apache.thrift.TProcessor;
import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSaslServerTransport;
-import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
public final class PlainSaslHelper {
- private static final Logger LOG =
LoggerFactory.getLogger(PlainSaslHelper.class);
public static TProcessorFactory getPlainProcessorFactory(ThriftCLIService
service) {
return new SQLPlainProcessorFactory(service);
@@ -70,65 +65,16 @@ public final class PlainSaslHelper {
return saslFactory;
}
- static TTransportFactory getDualPlainTransportFactory(TTransportFactory
otherTrans,
- String trustedDomain)
- throws LoginException {
- LOG.info("Created additional transport factory for skipping authentication
when client " +
- "connection is from the same domain.");
- return new DualSaslTransportFactory(otherTrans, trustedDomain);
- }
-
public static TTransport getPlainTransport(String username, String password,
TTransport underlyingTransport) throws SaslException {
return new TSaslClientTransport("PLAIN", null, null, null, new
HashMap<String, String>(),
new PlainCallbackHandler(username, password), underlyingTransport);
}
- // Return true if the remote host is from the trusted domain, i.e. host URL
has the same
- // suffix as the trusted domain.
- static public boolean isHostFromTrustedDomain(String remoteHost, String
trustedDomain) {
- return remoteHost.endsWith(trustedDomain);
- }
-
private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
- static final class DualSaslTransportFactory extends TTransportFactory {
- TTransportFactory otherFactory;
- TTransportFactory noAuthFactory;
- String trustedDomain;
-
- DualSaslTransportFactory(TTransportFactory otherFactory, String
trustedDomain)
- throws LoginException {
- this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
- this.otherFactory = otherFactory;
- this.trustedDomain = trustedDomain;
- }
-
- @Override
- public TTransport getTransport(final TTransport trans) {
- TSocket tSocket = null;
- // Attempt to avoid authentication if only we can fetch the client IP
address and it
- // happens to be from the same domain as the server.
- if (trans instanceof TSocket) {
- tSocket = (TSocket) trans;
- } else if (trans instanceof TSaslServerTransport) {
- TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
- tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
- }
- String remoteHost = tSocket != null ?
- tSocket.getSocket().getInetAddress().getCanonicalHostName() :
null;
- if (remoteHost != null && isHostFromTrustedDomain(remoteHost,
trustedDomain)) {
- LOG.info("No authentication performed because the connecting host " +
remoteHost + " is " +
- "from the trusted domain " + trustedDomain);
- return noAuthFactory.getTransport(trans);
- }
-
- return otherFactory.getTransport(trans);
- }
- }
-
public static final class PlainServerCallbackHandler implements
CallbackHandler {
private final AuthMethods authMethod;
diff --git
a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index 292723e..ff8f268 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -52,7 +52,6 @@ import org.apache.hive.service.auth.HiveAuthFactory;
import org.apache.hive.service.auth.HttpAuthUtils;
import org.apache.hive.service.auth.HttpAuthenticationException;
import org.apache.hive.service.auth.PasswdAuthenticationProvider;
-import org.apache.hive.service.auth.PlainSaslHelper;
import org.apache.hive.service.auth.ldap.HttpEmptyAuthenticationException;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.session.SessionManager;
@@ -138,9 +137,6 @@ public class ThriftHttpServlet extends TServlet {
return;
}
}
-
- clientIpAddress = request.getRemoteAddr();
- LOG.debug("Client IP Address: " + clientIpAddress);
// If the cookie based authentication is already enabled, parse the
// request and validate the request cookies.
if (isCookieAuthEnabled) {
@@ -150,42 +146,25 @@ public class ThriftHttpServlet extends TServlet {
LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
}
}
- // If the cookie based authentication is not enabled or the request does
not have a valid
- // cookie, use authentication depending on the server setup.
+ // If the cookie based authentication is not enabled or the request does
+ // not have a valid cookie, use the kerberos or password based
authentication
+ // depending on the server setup.
if (clientUserName == null) {
- String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN).trim();
-
- // Skip authentication if the connection is from the trusted domain,
if specified.
- // getRemoteHost may or may not return the FQDN of the remote host
depending upon the
- // HTTP server configuration. So, force a reverse DNS lookup.
- String remoteHostName =
-
InetAddress.getByName(request.getRemoteHost()).getCanonicalHostName();
- if (!trustedDomain.isEmpty() &&
- PlainSaslHelper.isHostFromTrustedDomain(remoteHostName,
trustedDomain)) {
- LOG.info("No authentication performed because the connecting host "
+ remoteHostName +
- " is from the trusted domain " + trustedDomain);
- // In order to skip authentication, we use auth type NOSASL to be
consistent with the
- // HiveAuthFactory defaults. In HTTP mode, it will also get us the
user name from the
- // HTTP request header.
- clientUserName = doPasswdAuth(request,
HiveAuthConstants.AuthTypes.NOSASL.getAuthName());
- } else {
- // For a kerberos setup
- if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
- clientUserName = doTokenAuth(request, response);
- } else {
- clientUserName = doKerberosAuth(request);
- }
- }
- // For password based authentication
- else {
- clientUserName = doPasswdAuth(request, authType);
+ // For a kerberos setup
+ if (isKerberosAuthMode(authType)) {
+ String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
+ // Each http request must have an Authorization header
+ if ((delegationToken != null) && (!delegationToken.isEmpty())) {
+ clientUserName = doTokenAuth(request, response);
+ } else {
+ clientUserName = doKerberosAuth(request);
}
}
+ // For password based authentication
+ else {
+ clientUserName = doPasswdAuth(request, authType);
+ }
}
- assert (clientUserName != null);
LOG.debug("Client username: " + clientUserName);
// Set the thread local username to be used for doAs if true
@@ -197,6 +176,8 @@ public class ThriftHttpServlet extends TServlet {
SessionManager.setProxyUserName(doAsQueryParam);
}
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
// Set the thread local ip address
SessionManager.setIpAddress(clientIpAddress);
