diff --git metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 72eac98..bb487f7 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -4375,7 +4375,7 @@ public static void startMetaStore(int port, HadoopThriftAuthBridge bridge, conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL)); // start delegation token manager saslServer.startDelegationTokenSecretManager(conf); - transFactory = saslServer.createTransportFactory(); + transFactory = saslServer.createTransportFactory(conf); processor = saslServer.wrapProcessor(new ThriftHiveMetastore.Processor( newHMSHandler("new db based metaserver", conf))); LOG.info("Starting DB backed MetaStore Server in Secure Mode"); diff --git metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java index cef50f4..5aa5f44 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java @@ -262,13 +262,13 @@ private void open() throws MetaException { if(tokenStrForm != null) { // authenticate using delegation tokens via the "DIGEST" mechanism transport = authBridge.createClientTransport(null, store.getHost(), - "DIGEST", tokenStrForm, transport); + "DIGEST", tokenStrForm, transport, conf); } else { String principalConfig = conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL); transport = authBridge.createClientTransport( principalConfig, store.getHost(), "KERBEROS", null, - transport); + transport, conf); } } catch (IOException ioe) { LOG.error("Couldn't create client transport", ioe); diff --git service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index 1809e1b..110c6e0 100644 --- service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -77,7 +77,7 @@ public TTransportFactory getAuthTransFactory() throws LoginException { if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) { try { - transportFactory = saslServer.createTransportFactory(); + transportFactory = saslServer.createTransportFactory(conf); } catch (TTransportException e) { throw new LoginException(e.getMessage()); } diff --git shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java index 777226f..0ecbe72 100644 --- shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java +++ shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java @@ -103,8 +103,27 @@ public Server createServer(String keytabFile, String principalConf) throws TTran @Override public TTransport createClientTransport( - String principalConfig, String host, - String methodStr, String tokenStrForm, TTransport underlyingTransport) + String principalConfig, String host, + String methodStr, String tokenStrForm, TTransport underlyingTransport) + throws IOException { + return createClientTransport(principalConfig, host, methodStr, + tokenStrForm, underlyingTransport, null); + } + + /** + * Create a client-side SASL transport that wraps an underlying transport. + * + * @param method The authentication method to use. Currently only KERBEROS is + * supported. + * @param serverPrincipal The Kerberos principal of the target server. + * @param underlyingTransport The underlying transport mechanism, usually a TSocket. + * @param conf The configuration used to initialize the transport. + */ + + @Override + public TTransport createClientTransport( + String principalConfig, String host, String methodStr, + String tokenStrForm, TTransport underlyingTransport, Configuration conf) throws IOException { AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr); @@ -129,6 +148,12 @@ public TTransport createClientTransport( "Kerberos principal name does NOT have the expected hostname part: " + serverPrincipal); } + + /* Initialize the SaslRpcServer to ensure QOP parameters are read from conf. */ + if (conf != null) { + SaslRpcServer.init(conf); + } + try { saslTransport = new TSaslClientTransport( method.getMechanismName(), @@ -272,10 +297,21 @@ protected Server(String keytabFile, String principalConf) * negotiates a Kerberized SASL transport. The resulting TTransportFactory * can be passed as both the input and output transport factory when * instantiating a TThreadPoolServer, for example. - * */ @Override - public TTransportFactory createTransportFactory() throws TTransportException + public TTransportFactory createTransportFactory() throws TTransportException { + return createTransportFactory(null); + } + + /** + * Create a TTransportFactory that, upon connection of a client socket, + * negotiates a Kerberized SASL transport. The resulting TTransportFactory + * can be passed as both the input and output transport factory when + * instantiating a TThreadPoolServer, for example. + * @param conf The configuration used to initialize the transport. + */ + @Override + public TTransportFactory createTransportFactory(Configuration conf) throws TTransportException { // Parse out the kerberos principal, host, realm. String kerberosName = realUgi.getUserName(); @@ -284,6 +320,11 @@ public TTransportFactory createTransportFactory() throws TTransportException throw new TTransportException("Kerberos principal should have 3 parts: " + kerberosName); } + /* Initialize the SaslRpcServer to ensure QOP parameters are read from conf. */ + if (conf != null) { + SaslRpcServer.init(conf); + } + TSaslServerTransport.Factory transFactory = new TSaslServerTransport.Factory(); transFactory.addServerDefinition( AuthMethod.KERBEROS.getMechanismName(), diff --git shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java index 9b0ec0a..5247f4d 100644 --- shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java +++ shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java @@ -67,10 +67,16 @@ public abstract TTransport createClientTransport( String principalConfig, String host, String methodStr,String tokenStrForm, TTransport underlyingTransport) throws IOException; + + public abstract TTransport createClientTransport( + String principalConfig, String host, String methodStr, + String tokenStrForm, TTransport underlyingTransport, Configuration conf) + throws IOException; } public static abstract class Server { public abstract TTransportFactory createTransportFactory() throws TTransportException; + public abstract TTransportFactory createTransportFactory(Configuration conf) throws TTransportException; public abstract TProcessor wrapProcessor(TProcessor processor); public abstract TProcessor wrapNonAssumingProcessor(TProcessor processor); public abstract InetAddress getRemoteAddress();