[hive] branch master updated: HIVE-21009: Adding ability for user to set bind user (David McGinnis reviewed by Prasanth Jayachandran) (addendum)

2019-02-06 Thread prasanthj 
This is an automated email from the ASF dual-hosted git repository.

prasanthj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
 new 6508716  HIVE-21009: Adding ability for user to set bind user (David 
McGinnis reviewed by Prasanth Jayachandran) (addendum)
6508716 is described below

commit 650871623ef435d359c07d4c90d76c439c45e976
Author: David McGinnis <656337+davidov...@users.noreply.github.com>
AuthorDate: Wed Feb 6 22:22:20 2019 -0800

HIVE-21009: Adding ability for user to set bind user (David McGinnis 
reviewed by Prasanth Jayachandran) (addendum)
---
 service/src/test/resources/creds/test.jceks | Bin 0 -> 534 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/service/src/test/resources/creds/test.jceks 
b/service/src/test/resources/creds/test.jceks
new file mode 100755
index 000..8d58c41
Binary files /dev/null and b/service/src/test/resources/creds/test.jceks differ

[hive] branch master updated: HIVE-21009: Adding ability for user to set bind user (David McGinnis reviewed by Prasanth Jayachandran)

2019-02-06 Thread prasanthj 
This is an automated email from the ASF dual-hosted git repository.

prasanthj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
 new 0e4d16b  HIVE-21009: Adding ability for user to set bind user (David 
McGinnis reviewed by Prasanth Jayachandran)
0e4d16b is described below

commit 0e4d16b462bf9abd7ec58e60936e24ee4302736c
Author: David McGinnis <656337+davidov...@users.noreply.github.com>
AuthorDate: Wed Feb 6 14:52:16 2019 -0800

HIVE-21009: Adding ability for user to set bind user (David McGinnis 
reviewed by Prasanth Jayachandran)
---
 .../java/org/apache/hadoop/hive/conf/HiveConf.java |  10 ++
 service/pom.xml|  11 ++
 .../auth/LdapAuthenticationProviderImpl.java   |  32 +-
 .../auth/TestLdapAuthenticationProviderImpl.java   | 113 +
 4 files changed, 164 insertions(+), 2 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index a3b03ca..2156ff1 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3499,6 +3499,16 @@ public class HiveConf extends Configuration {
 "For example: 
(&(objectClass=group)(objectClass=top)(instanceType=4)(cn=Domain*)) \n" +
 "(&(objectClass=person)(|(sAMAccountName=admin)(|(memberOf=CN=Domain 
Admins,CN=Users,DC=domain,DC=com)" +
 "(memberOf=CN=Administrators,CN=Builtin,DC=domain,DC=com"),
+
HIVE_SERVER2_PLAIN_LDAP_BIND_USER("hive.server2.authentication.ldap.binddn", 
null,
+"The user with which to bind to the LDAP server, and search for the 
full domain name " +
+"of the user being authenticated.\n" +
+"This should be the full domain name of the user, and should have 
search access across all " +
+"users in the LDAP tree.\n" +
+"If not specified, then the user being authenticated will be used as 
the bind user.\n" +
+"For example: CN=bindUser,CN=Users,DC=subdomain,DC=domain,DC=com"),
+
HIVE_SERVER2_PLAIN_LDAP_BIND_PASSWORD("hive.server2.authentication.ldap.bindpw",
 null,
+"The password for the bind user, to be used to search for the full 
name of the user being authenticated.\n" +
+"If the username is specified, this parameter must also be 
specified."),
 
HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS("hive.server2.custom.authentication.class",
 null,
 "Custom authentication class. Used when property\n" +
 "'hive.server2.authentication' is set to 'CUSTOM'. Provided class\n" +
diff --git a/service/pom.xml b/service/pom.xml
index eca6f3b..30b7398 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -36,6 +36,17 @@
 
 
   org.apache.hive
+  hive-common
+  ${project.version}
+  
+
+  org.eclipse.jetty.aggregate
+  jetty-all
+
+  
+
+
+  org.apache.hive
   hive-exec
   ${project.version}
 
diff --git 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
index 73bbb6b..0120513 100644
--- 
a/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
+++ 
b/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -18,9 +18,10 @@
 package org.apache.hive.service.auth;
 
 import javax.security.sasl.AuthenticationException;
-
+import javax.naming.NamingException;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
+import java.io.IOException;
 import java.util.Iterator;
 import java.util.List;
 import org.apache.commons.lang.StringUtils;
@@ -68,9 +69,36 @@ public class LdapAuthenticationProviderImpl implements 
PasswdAuthenticationProvi
   @Override
   public void Authenticate(String user, String password) throws 
AuthenticationException {
 DirSearch search = null;
+String bindUser = 
this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BIND_USER);
+String bindPassword = null;
+try {
+  char[] rawPassword = 
this.conf.getPassword(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BIND_PASSWORD.toString());
+  if (rawPassword != null) {
+bindPassword = new String(rawPassword);
+  }
+} catch (IOException e) {
+  bindPassword = null;
+}
+boolean usedBind = bindUser != null && bindPassword != null;
+if (!usedBind) {
+  // If no bind user or bind password was specified,
+  // we assume the user we are authenticating has the ability to search
+  // the LDAP tree, so we use it as the "binding" account.
+  // This is the way it worked before bind users were allowed in the LDAP 
authenticator,
+  // so we keep existing systems working.
+