diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index a182cd7..fa0cd09 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -818,13 +818,16 @@ // HiveServer2 auth configuration HIVE_SERVER2_AUTHENTICATION("hive.server2.authentication", "NONE", - new StringsValidator("NOSASL", "NONE", "LDAP", "KERBEROS", "CUSTOM")), + new StringsValidator("NOSASL", "NONE", "LDAP", "KERBEROS", "PAM", "CUSTOM")), HIVE_SERVER2_KERBEROS_KEYTAB("hive.server2.authentication.kerberos.keytab", ""), HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", ""), HIVE_SERVER2_PLAIN_LDAP_URL("hive.server2.authentication.ldap.url", null), HIVE_SERVER2_PLAIN_LDAP_BASEDN("hive.server2.authentication.ldap.baseDN", null), HIVE_SERVER2_PLAIN_LDAP_DOMAIN("hive.server2.authentication.ldap.Domain", null), HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS("hive.server2.custom.authentication.class", null), + // List of the underlying pam services that should be used when auth type is PAM + // A file with the same name must exist in /etc/pam.d + HIVE_SERVER2_PAM_SERVICES("hive.server2.authentication.pam.services", null), HIVE_SERVER2_ENABLE_DOAS("hive.server2.enable.doAs", true), HIVE_SERVER2_TABLE_TYPE_MAPPING("hive.server2.table.type.mapping", "CLASSIC", new StringsValidator("CLASSIC", "HIVE")), diff --git a/pom.xml b/pom.xml index 9aef665..8d4322e 100644 --- a/pom.xml +++ b/pom.xml @@ -141,6 +141,7 @@ 1.5 2.9.1 3.4.5 + 1.1 diff --git a/service/pom.xml b/service/pom.xml index b1002e2..a97577b 100644 --- a/service/pom.xml +++ b/service/pom.xml @@ -55,6 +55,11 @@ commons-cli ${commons-cli.version} + + net.sf.jpam + jpam + ${jpam.version} + commons-lang diff --git a/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java b/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java index b92fd83..e51d4f4 100644 --- a/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java +++ b/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java @@ -23,6 +23,7 @@ public static enum AuthMethods { LDAP("LDAP"), + PAM("PAM"), CUSTOM("CUSTOM"), NONE("NONE"); @@ -50,14 +51,20 @@ private AuthenticationProviderFactory () { } public static PasswdAuthenticationProvider getAuthenticationProvider(AuthMethods authMethod) - throws AuthenticationException { + throws AuthenticationException { if (authMethod.equals(AuthMethods.LDAP)) { return new LdapAuthenticationProviderImpl(); - } else if (authMethod.equals(AuthMethods.CUSTOM)) { + } + else if (authMethod.equals(AuthMethods.PAM)) { + return new PamAuthenticationProviderImpl(); + } + else if (authMethod.equals(AuthMethods.CUSTOM)) { return new CustomAuthenticationProviderImpl(); - } else if (authMethod.equals(AuthMethods.NONE)) { + } + else if (authMethod.equals(AuthMethods.NONE)) { return new AnonymousAuthenticationProviderImpl(); - } else { + } + else { throw new AuthenticationException("Unsupported authentication method"); } } diff --git a/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java b/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java new file mode 100644 index 0000000..def3733 --- /dev/null +++ b/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hive.service.auth; + +import javax.security.sasl.AuthenticationException; + +import net.sf.jpam.Pam; + +import org.apache.hadoop.hive.conf.HiveConf; + +public class PamAuthenticationProviderImpl implements PasswdAuthenticationProvider { + + @Override + public void Authenticate(String user, String password) + throws AuthenticationException { + + HiveConf conf = new HiveConf(); + String pamServiceNames = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PAM_SERVICES); + if (pamServiceNames == null || pamServiceNames.trim().isEmpty()) { + throw new AuthenticationException("No PAM services are set."); + } + + String pamServices[] = pamServiceNames.split(","); + for (String pamService : pamServices) { + Pam pam = new Pam(pamService); + boolean isAuthenticated = pam.authenticateSuccessful(user, password); + if (!isAuthenticated) { + throw new AuthenticationException("Error authenticating with the PAM service: " + pamService); + } + } + } +} \ No newline at end of file