diff --git shims/src/0.20/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java shims/src/0.20/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java index c9baa7f..1b43d8f 100644 --- shims/src/0.20/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java +++ shims/src/0.20/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java @@ -101,6 +101,11 @@ public void setTmpFiles(String prop, String files) { // gone in 20+ } + public String getKerberosShortName(String kerberosName) throws IOException { + // raise an exception + throw new IOException("Authentication is not supported with 0.20"); + } + /** * Returns a shim to wrap MiniMrCluster diff --git shims/src/0.20S/java/org/apache/hadoop/hive/shims/Hadoop20SShims.java shims/src/0.20S/java/org/apache/hadoop/hive/shims/Hadoop20SShims.java index e4a632d..5656ab1 100644 --- shims/src/0.20S/java/org/apache/hadoop/hive/shims/Hadoop20SShims.java +++ shims/src/0.20S/java/org/apache/hadoop/hive/shims/Hadoop20SShims.java @@ -34,6 +34,7 @@ import org.apache.hadoop.mapreduce.Job; import org.apache.hadoop.mapreduce.TaskAttemptID; import org.apache.hadoop.util.Progressable; +import org.apache.hadoop.security.KerberosName; /** * Implemention of shims against Hadoop 0.20 with Security. @@ -75,6 +76,11 @@ public void progress() { }; } + public String getKerberosShortName(String kerberosLongName) throws IOException { + KerberosName kerberosName = new KerberosName(kerberosLongName); + return kerberosName.getShortName(); + } + @Override public org.apache.hadoop.mapreduce.JobContext newJobContext(Job job) { return new org.apache.hadoop.mapreduce.JobContext(job.getConfiguration(), job.getJobID()); diff --git shims/src/0.23/java/org/apache/hadoop/hive/shims/Hadoop23Shims.java shims/src/0.23/java/org/apache/hadoop/hive/shims/Hadoop23Shims.java index 1975385..30ff713 100644 --- shims/src/0.23/java/org/apache/hadoop/hive/shims/Hadoop23Shims.java +++ shims/src/0.23/java/org/apache/hadoop/hive/shims/Hadoop23Shims.java @@ -40,6 +40,7 @@ import org.apache.hadoop.mapreduce.task.TaskAttemptContextImpl; import org.apache.hadoop.mapreduce.util.HostUtil; import org.apache.hadoop.util.Progressable; +import org.apache.hadoop.security.authentication.util.KerberosName; /** * Implemention of shims against Hadoop 0.23.0. @@ -116,6 +117,11 @@ public void setJobLauncherRpcAddress(Configuration conf, String val) { } } + public String getKerberosShortName(String kerberosLongName) throws IOException { + KerberosName kerberosName = new KerberosName(kerberosLongName); + return kerberosName.getShortName(); + } + @Override public String getJobLauncherHttpAddress(Configuration conf) { return conf.get("yarn.resourcemanager.webapp.address"); diff --git shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java index 777226f..49d8ba2 100644 --- shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java +++ shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.hive.thrift; + import java.io.IOException; import java.net.InetAddress; import java.net.Socket; @@ -40,14 +41,18 @@ import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.Client; import org.apache.hadoop.fs.FileSystem; + import org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; +import org.apache.hadoop.security.KerberosName; +//import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.SecretManager.InvalidToken; @@ -428,7 +433,7 @@ protected synchronized String initialValue() { public String getRemoteUser() { return remoteUser.get(); } - + /** CallbackHandler for SASL DIGEST-MD5 mechanism */ // This code is pretty much completely based on Hadoop's // SaslRpcServer.SaslDigestCallbackHandler - the only reason we could not @@ -561,7 +566,13 @@ public Boolean run() { } }); } else { - remoteUser.set(endUser); + // check for kerberos v5 + if (saslServer.getMechanismName().equals("GSSAPI")) { + String shortName = ShimLoader.getHadoopShims().getKerberosShortName(endUser); + remoteUser.set(shortName); + } else { + remoteUser.set(endUser); + } return wrapped.process(inProt, outProt); } } catch (RuntimeException rte) { diff --git shims/src/common/java/org/apache/hadoop/hive/shims/HadoopShims.java shims/src/common/java/org/apache/hadoop/hive/shims/HadoopShims.java index b0f5077..c910e68 100644 --- shims/src/common/java/org/apache/hadoop/hive/shims/HadoopShims.java +++ shims/src/common/java/org/apache/hadoop/hive/shims/HadoopShims.java @@ -113,6 +113,14 @@ String getTaskAttemptLogUrl(JobConf conf, long getAccessTime(FileStatus file); /** + * return the Kerberos short name + * @param full Kerberos name + * @return short Kerberos name + * @throws IOException + */ + String getKerberosShortName(String kerberosName) throws IOException; + + /** * Returns a shim to wrap MiniMrCluster */ public MiniMrShim getMiniMrCluster(Configuration conf, int numberOfTaskTrackers,