This is an automated email from the ASF dual-hosted git repository.
pvary pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 877ff71 HIVE-22244: Added default ACLs for znodes on a non-kerberized
cluster (Denys Kuzmenko reviewed by Prasanth Jayachandran, Gopal Vijayaraghavan
and Peter Vary)
877ff71 is described below
commit 877ff71256ba4cd62f091bcc49b5c2047276c003
Author: denys kuzmenko <[email protected]>
AuthorDate: Mon Sep 30 11:53:03 2019 +0200
HIVE-22244: Added default ACLs for znodes on a non-kerberized cluster
(Denys Kuzmenko reviewed by Prasanth Jayachandran, Gopal Vijayaraghavan and
Peter Vary)
---
.../metastore/security/ZooKeeperTokenStore.java | 36 +++++++++++++++++-----
1 file changed, 29 insertions(+), 7 deletions(-)
diff --git
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java
index ba1f177..e8f2563 100644
---
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java
+++
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.hive.metastore.security;
import java.io.IOException;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -63,7 +62,7 @@ public class ZooKeeperTokenStore implements
DelegationTokenStore {
private volatile CuratorFramework zkSession;
private String zkConnectString;
private int connectTimeoutMillis;
- private List<ACL> newNodeAcl = Arrays.asList(new ACL(Perms.ALL,
Ids.AUTH_IDS));
+ private List<ACL> newNodeAcl;
/**
* ACLProvider permissions will be used in case parent dirs need to be
created
@@ -81,6 +80,30 @@ public class ZooKeeperTokenStore implements
DelegationTokenStore {
}
};
+ /**
+ * Default ACLs for CuratorFrameworkFactory.
+ */
+ private List<ACL> getDefaultAcl(Configuration conf) {
+ List<ACL> nodeAcls = new ArrayList<>();
+ if (isZkSecurityEnabled(conf)) {
+ nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS));
+ } else {
+ nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE);
+ }
+ return nodeAcls;
+ }
+
+ /**
+ * Check if ZooKeeper is configured with Kerberos authentication.
+ */
+ private boolean isZkSecurityEnabled(Configuration conf) {
+ try {
+ return UserGroupInformation.getLoginUser().isFromKeytab() &&
!AuthenticationMethod.SIMPLE.name().equalsIgnoreCase(
+ getNonEmptyConfVar(conf, "hive.security.zookeeper.authentication"));
+ } catch (IOException e) {
+ return false;
+ }
+ }
private final String WHEN_ZK_DSTORE_MSG = "when zookeeper based delegation
token storage is enabled"
+ "(hive.cluster.delegation.token.store.class=" +
ZooKeeperTokenStore.class.getName() + ")";
@@ -112,8 +135,7 @@ public class ZooKeeperTokenStore implements
DelegationTokenStore {
}
private void setupJAASConfig(Configuration conf) throws IOException {
- if (!UserGroupInformation.getLoginUser().isFromKeytab() ||
AuthenticationMethod.SIMPLE.name().equalsIgnoreCase(
- getNonEmptyConfVar(conf, "hive.security.zookeeper.authentication"))) {
+ if (!isZkSecurityEnabled(conf)) {
// The process has not logged in using keytab
// this should be a test mode, can't use keytab to authenticate
// with zookeeper.
@@ -455,10 +477,10 @@ public class ZooKeeperTokenStore implements
DelegationTokenStore {
conf.getInt(
MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_CONNECT_TIMEOUTMILLIS,
CuratorFrameworkFactory.builder().getConnectionTimeoutMs());
+
String aclStr =
conf.get(MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ACL, null);
- if (StringUtils.isNotBlank(aclStr)) {
- this.newNodeAcl = parseACLs(aclStr);
- }
+ this.newNodeAcl = StringUtils.isNotBlank(aclStr)? parseACLs(aclStr) :
getDefaultAcl(conf);
+
rootNode =
conf.get(MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ZNODE,
MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ZNODE_DEFAULT) +
serverMode;
