Repository: hive Updated Branches: refs/heads/branch-2.1 19192a631 -> e2da0e163 refs/heads/master 2de64b0b0 -> 4d349dadb
HIVE-14136 : LLAP ZK SecretManager should resolve _HOST in principal (Sergey Shelukhin, reviewed by Siddharth Seth) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/4d349dad Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/4d349dad Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/4d349dad Branch: refs/heads/master Commit: 4d349dadb2c6103b8b1f50226f2384b519dcc59b Parents: 2de64b0 Author: Sergey Shelukhin <ser...@apache.org> Authored: Thu Jun 30 16:00:04 2016 -0700 Committer: Sergey Shelukhin <ser...@apache.org> Committed: Thu Jun 30 16:00:04 2016 -0700 ---------------------------------------------------------------------- .../hadoop/hive/llap/security/SecretManager.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/4d349dad/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java ---------------------------------------------------------------------- diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java index 9431e4f..f43e74d 100644 --- a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java +++ b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java @@ -34,6 +34,7 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.llap.LlapUtil; import org.apache.hadoop.hive.llap.security.LlapTokenIdentifier; import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.delegation.DelegationKey; @@ -44,8 +45,6 @@ import org.apache.zookeeper.data.Id; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.protobuf.ByteString; - public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdentifier> implements SigningSecretManager { private static final Logger LOG = LoggerFactory.getLogger(SecretManager.class); @@ -63,6 +62,7 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent @Override public void startThreads() throws IOException { + LOG.info("Starting ZK threads as user " + UserGroupInformation.getCurrentUser()); super.startThreads(); if (!HiveConf.getBoolVar(conf, ConfVars.LLAP_VALIDATE_ACLS) || !UserGroupInformation.isSecurityEnabled()) return; @@ -154,7 +154,12 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent conf, ConfVars.LLAP_DELEGATION_TOKEN_LIFETIME, TimeUnit.SECONDS); zkConf.setLong(DelegationTokenManager.MAX_LIFETIME, tokenLifetime); zkConf.setLong(DelegationTokenManager.RENEW_INTERVAL, tokenLifetime); - zkConf.set(SecretManager.ZK_DTSM_ZK_KERBEROS_PRINCIPAL, principal); + try { + zkConf.set(SecretManager.ZK_DTSM_ZK_KERBEROS_PRINCIPAL, + SecurityUtil.getServerPrincipal(principal, "0.0.0.0")); + } catch (IOException e) { + throw new RuntimeException(e); + } zkConf.set(SecretManager.ZK_DTSM_ZK_KERBEROS_KEYTAB, keyTab); String zkPath = "zkdtsm_" + clusterId; LOG.info("Using {} as ZK secret manager path", zkPath); @@ -172,14 +177,14 @@ public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdent return new LlapZkConf(zkConf, zkUgi); } - public static SecretManager createSecretManager(final Configuration conf, String clusterId) { + public static SecretManager createSecretManager(Configuration conf, String clusterId) { String llapPrincipal = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL), llapKeytab = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE); return SecretManager.createSecretManager(conf, llapPrincipal, llapKeytab, clusterId); } public static SecretManager createSecretManager( - final Configuration conf, String llapPrincipal, String llapKeytab, final String clusterId) { + Configuration conf, String llapPrincipal, String llapKeytab, final String clusterId) { assert UserGroupInformation.isSecurityEnabled(); final LlapZkConf c = createLlapZkConf(conf, llapPrincipal, llapKeytab, clusterId); return c.zkUgi.doAs(new PrivilegedAction<SecretManager>() {