diff --git service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index 1809e1b..110c6e0 100644 --- service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -77,7 +77,7 @@ public TTransportFactory getAuthTransFactory() throws LoginException { if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) { try { - transportFactory = saslServer.createTransportFactory(); + transportFactory = saslServer.createTransportFactory(conf); } catch (TTransportException e) { throw new LoginException(e.getMessage()); } diff --git shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java index f55ce03..66ea68c 100644 --- shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java +++ shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java @@ -103,8 +103,27 @@ public Server createServer(String keytabFile, String principalConf) throws TTran @Override public TTransport createClientTransport( - String principalConfig, String host, - String methodStr, String tokenStrForm, TTransport underlyingTransport) + String principalConfig, String host, + String methodStr, String tokenStrForm, TTransport underlyingTransport) + throws IOException { + return createClientTransport(principalConfig, host, methodStr, + tokenStrForm, underlyingTransport, null); + } + + /** + * Create a client-side SASL transport that wraps an underlying transport. + * + * @param method The authentication method to use. Currently only KERBEROS is + * supported. + * @param serverPrincipal The Kerberos principal of the target server. + * @param underlyingTransport The underlying transport mechanism, usually a TSocket. + * @param conf The configuration used to initialize the transport. + */ + + @Override + public TTransport createClientTransport( + String principalConfig, String host, String methodStr, + String tokenStrForm, TTransport underlyingTransport, Configuration conf) throws IOException { AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr); @@ -129,6 +148,12 @@ public TTransport createClientTransport( "Kerberos principal name does NOT have the expected hostname part: " + serverPrincipal); } + + /* Initialize the SaslRpcServer to ensure QOP parameters are read from conf. */ + if (conf != null) { + SaslRpcServer.init(conf); + } + try { saslTransport = new TSaslClientTransport( method.getMechanismName(), @@ -272,10 +297,21 @@ protected Server(String keytabFile, String principalConf) * negotiates a Kerberized SASL transport. The resulting TTransportFactory * can be passed as both the input and output transport factory when * instantiating a TThreadPoolServer, for example. - * */ @Override - public TTransportFactory createTransportFactory() throws TTransportException + public TTransportFactory createTransportFactory() throws TTransportException { + return createTransportFactory(null); + } + + /** + * Create a TTransportFactory that, upon connection of a client socket, + * negotiates a Kerberized SASL transport. The resulting TTransportFactory + * can be passed as both the input and output transport factory when + * instantiating a TThreadPoolServer, for example. + * @param conf The configuration used to initialize the transport. + */ + @Override + public TTransportFactory createTransportFactory(Configuration conf) throws TTransportException { // Parse out the kerberos principal, host, realm. String kerberosName = realUgi.getUserName(); @@ -284,6 +320,11 @@ public TTransportFactory createTransportFactory() throws TTransportException throw new TTransportException("Kerberos principal should have 3 parts: " + kerberosName); } + /* Initialize the SaslRpcServer to ensure QOP parameters are read from conf. */ + if (conf != null) { + SaslRpcServer.init(conf); + } + TSaslServerTransport.Factory transFactory = new TSaslServerTransport.Factory(); transFactory.addServerDefinition( AuthMethod.KERBEROS.getMechanismName(), diff --git shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java index 9b0ec0a..5247f4d 100644 --- shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java +++ shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java @@ -67,10 +67,16 @@ public abstract TTransport createClientTransport( String principalConfig, String host, String methodStr,String tokenStrForm, TTransport underlyingTransport) throws IOException; + + public abstract TTransport createClientTransport( + String principalConfig, String host, String methodStr, + String tokenStrForm, TTransport underlyingTransport, Configuration conf) + throws IOException; } public static abstract class Server { public abstract TTransportFactory createTransportFactory() throws TTransportException; + public abstract TTransportFactory createTransportFactory(Configuration conf) throws TTransportException; public abstract TProcessor wrapProcessor(TProcessor processor); public abstract TProcessor wrapNonAssumingProcessor(TProcessor processor); public abstract InetAddress getRemoteAddress();