Author: ekoifman Date: Thu Oct 30 19:16:51 2014 New Revision: 1635594 URL: http://svn.apache.org/r1635594 Log: HIVE-8643 DDL operations via WebHCat with doAs parameter in secure cluster fail
Modified: hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java Modified: hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java URL: http://svn.apache.org/viewvc/hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java?rev=1635594&r1=1635593&r2=1635594&view=diff ============================================================================== --- hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java (original) +++ hive/trunk/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java Thu Oct 30 19:16:51 2014 @@ -121,9 +121,9 @@ public class SecureProxySupport { if (isEnabled) { args.add("-D"); args.add("hive.metastore.token.signature=" + getHcatServiceStr()); - args.add("-D"); - args.add("proxy.user.name=" + user); } + args.add("-D"); + args.add("proxy.user.name=" + user); } class TokenWrapper { @@ -140,6 +140,7 @@ public class SecureProxySupport { ugi.doAs(new PrivilegedExceptionAction<Object>() { public Object run() throws IOException { FileSystem fs = FileSystem.get(conf); + //todo: according to JavaDoc this seems like private API: addDelegationToken should be used twrapper.token = fs.getDelegationToken(ugi.getShortUserName()); return null; } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java?rev=1635594&r1=1635593&r2=1635594&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java Thu Oct 30 19:16:51 2014 @@ -30,6 +30,8 @@ import org.apache.hadoop.security.UserGr * but honours a proxy config setting proxy.user.name instead of the * current user if set. This allows server processes like webhcat which * proxy other users to easily specify an override if allowed. + * + * It is no longer necessary to use this class with WebHCat as of Hive 0.14. */ public class ProxyUserAuthenticator extends HadoopDefaultAuthenticator { Modified: hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java URL: http://svn.apache.org/viewvc/hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java?rev=1635594&r1=1635593&r2=1635594&view=diff ============================================================================== --- hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java (original) +++ hive/trunk/shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java Thu Oct 30 19:16:51 2014 @@ -463,6 +463,16 @@ public abstract class HadoopShimsSecure @Override public UserGroupInformation getUGIForConf(Configuration conf) throws IOException { + String doAs = conf.get("proxy.user.name"); + if(doAs != null && doAs.length() > 0) { + /* + * this allows doAs (proxy user) to be passed along across process boundary where + * delegation tokens are not supported. For example, a DDL stmt via WebHCat with + * a doAs parameter, forks to 'hcat' which needs to start a Session that + * proxies the end user + */ + return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser()); + } return UserGroupInformation.getCurrentUser(); }