[GitHub] [hive] odraese commented on a change in pull request #648: HIVE-21783: Accept Hive connections from the same domain without authentication.

Fri, 31 May 2019 09:14:20 -0700 

odraese commented on a change in pull request #648: HIVE-21783: Accept Hive 
connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289455006
 
 

 ##########
 File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
 ##########
 @@ -65,16 +70,65 @@ public static TTransportFactory 
getPlainTransportFactory(String authTypeStr)
     return saslFactory;
   }
 
+  static TTransportFactory getDualPlainTransportFactory(TTransportFactory 
otherTrans,
+                                                        String trustedDomain)
+          throws LoginException {
+    LOG.info("Created additional transport factory for skipping authentication 
when client " +
+            "connection is from the same domain.");
+    return new DualSaslTransportFactory(otherTrans, trustedDomain);
+  }
+
   public static TTransport getPlainTransport(String username, String password,
     TTransport underlyingTransport) throws SaslException {
     return new TSaslClientTransport("PLAIN", null, null, null, new 
HashMap<String, String>(),
       new PlainCallbackHandler(username, password), underlyingTransport);
   }
 
+  // Return true if the remote host is from the trusted domain, i.e. host URL 
has the same
+  // suffix as the trusted domain.
+  static public boolean isHostFromTrustedDomain(String remoteHost, String 
trustedDomain) {
+    return remoteHost.endsWith(trustedDomain);
+  }
+
   private PlainSaslHelper() {
     throw new UnsupportedOperationException("Can't initialize class");
   }
 
+  static final class DualSaslTransportFactory extends TTransportFactory {
+    TTransportFactory otherFactory;
+    TTransportFactory noAuthFactory;
+    String trustedDomain;
+
+    DualSaslTransportFactory(TTransportFactory otherFactory, String 
trustedDomain)
+            throws LoginException {
+      this.noAuthFactory = 
getPlainTransportFactory(AuthMethods.NONE.toString());
+      this.otherFactory = otherFactory;
+      this.trustedDomain = trustedDomain;
+    }
+
+    @Override
+    public TTransport getTransport(final TTransport trans) {
+      TSocket tSocket = null;
+      // Attempt to avoid authentication if only we can fetch the client IP 
address and it
+      // happens to be from the same domain as the server.
+      if (trans instanceof TSocket) {
+        tSocket = (TSocket) trans;
+      } else if (trans instanceof TSaslServerTransport) {
+        TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+        tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+      }
+      String remoteHost = tSocket != null ?
+              tSocket.getSocket().getInetAddress().getCanonicalHostName() : 
null;
+      if (remoteHost != null && isHostFromTrustedDomain(remoteHost, 
trustedDomain)) {
+        LOG.info("No authentication performed because the connecting host " + 
remoteHost + " is " +
+                "from the trusted domain " + trustedDomain);
+        return noAuthFactory.getTransport(trans);
+      } else {
 
 Review comment:
   We don't need this else block. Just return the 
otherFactory.getTransport(trans)....

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to