diff --git service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java index 15b1675..5c00dd7 100644 --- service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java +++ service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java @@ -97,20 +97,17 @@ public void handle(Callback[] callbacks) private static class SQLPlainProcessorFactory extends TProcessorFactory { private final ThriftCLIService service; private final HiveConf conf; - private final boolean doAsEnabled; public SQLPlainProcessorFactory(ThriftCLIService service) { super(null); this.service = service; this.conf = service.getHiveConf(); - this.doAsEnabled = conf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS); } @Override public TProcessor getProcessor(TTransport trans) { TProcessor baseProcessor = new TCLIService.Processor(service); - return doAsEnabled ? new TUGIContainingProcessor(baseProcessor, conf) : - new TSetIpAddressProcessor(service); + return new TSetIpAddressProcessor(service); } } diff --git service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java index 0bf34ce..3be4b4b 100644 --- service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java +++ service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java @@ -18,10 +18,7 @@ package org.apache.hive.service.auth; -import java.net.Socket; - import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore.Processor; -import org.apache.hive.service.cli.session.SessionManager; import org.apache.hive.service.cli.thrift.TCLIService; import org.apache.hive.service.cli.thrift.TCLIService.Iface; import org.apache.thrift.TException; @@ -54,14 +51,19 @@ public TSetIpAddressProcessor(Iface iface) { public boolean process(final TProtocol in, final TProtocol out) throws TException { setIpAddress(in); setUserName(in); - return super.process(in, out); + try { + return super.process(in, out); + } finally { + threadLocalUserName.remove(); + threadLocalIpAddress.remove(); + } } private void setUserName(final TProtocol in) { TTransport transport = in.getTransport(); if (transport instanceof TSaslServerTransport) { String userName = ((TSaslServerTransport)transport).getSaslServer().getAuthorizationID(); - SessionManager.setUserName(userName); + threadLocalUserName.set(userName); } } @@ -69,16 +71,12 @@ protected void setIpAddress(final TProtocol in) { TTransport transport = in.getTransport(); TSocket tSocket = getUnderlyingSocketFromTransport(transport); if (tSocket != null) { - setIpAddress(tSocket.getSocket()); + threadLocalIpAddress.set(tSocket.getSocket().getInetAddress().toString()); } else { LOGGER.warn("Unknown Transport, cannot determine ipAddress"); } } - private void setIpAddress(Socket socket) { - SessionManager.setIpAddress(socket.getInetAddress().toString()); - } - private TSocket getUnderlyingSocketFromTransport(TTransport transport) { while (transport != null) { if (transport instanceof TSaslServerTransport) { @@ -93,4 +91,26 @@ private TSocket getUnderlyingSocketFromTransport(TTransport transport) { } return null; } + + private static ThreadLocal threadLocalIpAddress = new ThreadLocal() { + @Override + protected synchronized String initialValue() { + return null; + } + }; + + private static ThreadLocal threadLocalUserName = new ThreadLocal(){ + @Override + protected synchronized String initialValue() { + return null; + } + }; + + public static String getUserIpAddress() { + return threadLocalIpAddress.get(); + } + + public static String getUserName() { + return threadLocalUserName.get(); + } } \ No newline at end of file diff --git service/src/java/org/apache/hive/service/cli/session/SessionManager.java service/src/java/org/apache/hive/service/cli/session/SessionManager.java index bfe0e7b..5e6fbb0 100644 --- service/src/java/org/apache/hive/service/cli/session/SessionManager.java +++ service/src/java/org/apache/hive/service/cli/session/SessionManager.java @@ -101,9 +101,6 @@ public SessionHandle openSession(TProtocolVersion protocol, String username, Str public SessionHandle openSession(TProtocolVersion protocol, String username, String password, Map sessionConf, boolean withImpersonation, String delegationToken) throws HiveSQLException { - if (username == null) { - username = threadLocalUserName.get(); - } HiveSession session; if (withImpersonation) { HiveSessionImplwithUGI hiveSessionUgi = new HiveSessionImplwithUGI(protocol, username, password, @@ -146,36 +143,6 @@ public OperationManager getOperationManager() { return operationManager; } - private static ThreadLocal threadLocalIpAddress = new ThreadLocal() { - @Override - protected synchronized String initialValue() { - return null; - } - }; - - public static void setIpAddress(String ipAddress) { - threadLocalIpAddress.set(ipAddress); - } - - private void clearIpAddress() { - threadLocalIpAddress.remove(); - } - - private static ThreadLocal threadLocalUserName = new ThreadLocal(){ - @Override - protected synchronized String initialValue() { - return null; - } - }; - - public static void setUserName(String userName) { - threadLocalUserName.set(userName); - } - - private void clearUserName() { - threadLocalUserName.remove(); - } - // execute session hooks private void executeSessionHooks(HiveSession session) throws Exception { List sessionHooks = HookUtils.getHooks(hiveConf, diff --git service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java index b5a6138..0e037fd 100644 --- service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java +++ service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java @@ -31,6 +31,7 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hive.service.AbstractService; import org.apache.hive.service.auth.HiveAuthFactory; +import org.apache.hive.service.auth.TSetIpAddressProcessor; import org.apache.hive.service.cli.CLIService; import org.apache.hive.service.cli.FetchOrientation; import org.apache.hive.service.cli.GetInfoType; @@ -111,7 +112,6 @@ public synchronized void stop() { super.stop(); } - @Override public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException { LOG.info("Client protocol version: " + req.getClient_protocol()); @@ -130,12 +130,14 @@ public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException { } private String getUserName(TOpenSessionReq req) { - if (hiveAuthFactory != null - && hiveAuthFactory.getRemoteUser() != null) { - return hiveAuthFactory.getRemoteUser(); - } else { - return req.getUsername(); + String userName = null; + if (hiveAuthFactory != null) { + userName = hiveAuthFactory.getRemoteUser(); // kerberos + } + if (userName == null) { + userName = TSetIpAddressProcessor.getUserName(); // except kerberos, nosasl } + return userName != null ? userName : req.getUsername(); } SessionHandle getSessionHandle(TOpenSessionReq req, TOpenSessionResp res) @@ -145,25 +147,32 @@ SessionHandle getSessionHandle(TOpenSessionReq req, TOpenSessionResp res) TProtocolVersion protocol = getMinVersion(CLIService.SERVER_VERSION, req.getClient_protocol()); SessionHandle sessionHandle; - if (cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION) - .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString()) && - cliService.getHiveConf().getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)) { - String delegationTokenStr = null; - try { - delegationTokenStr = cliService.getDelegationTokenFromMetaStore(userName); - } catch (UnsupportedOperationException e) { - // The delegation token is not applicable in the given deployment mode - } - sessionHandle = cliService.openSessionWithImpersonation(protocol, userName, - req.getPassword(), req.getConfiguration(), delegationTokenStr); + if (cliService.getHiveConf().getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)) { + String delegationTokenStr = getDelegationToken(userName); + sessionHandle = cliService.openSessionWithImpersonation( + protocol, userName, req.getPassword(), req.getConfiguration(), delegationTokenStr); } else { - sessionHandle = cliService.openSession(protocol, userName, req.getPassword(), - req.getConfiguration()); + sessionHandle = cliService.openSession( + protocol, userName, req.getPassword(), req.getConfiguration()); } res.setServerProtocolVersion(protocol); return sessionHandle; } + private String getDelegationToken(String userName) + throws HiveSQLException, LoginException, IOException { + if (userName == null || !cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION) + .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString())) { + return null; + } + try { + return cliService.getDelegationTokenFromMetaStore(userName); + } catch (UnsupportedOperationException e) { + // The delegation token is not applicable in the given deployment mode + } + return null; + } + private TProtocolVersion getMinVersion(TProtocolVersion... versions) { TProtocolVersion[] values = TProtocolVersion.values(); int current = values[values.length - 1].getValue();