diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index a182cd7..fa0cd09 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -818,13 +818,16 @@
// HiveServer2 auth configuration
HIVE_SERVER2_AUTHENTICATION("hive.server2.authentication", "NONE",
- new StringsValidator("NOSASL", "NONE", "LDAP", "KERBEROS", "CUSTOM")),
+ new StringsValidator("NOSASL", "NONE", "LDAP", "KERBEROS", "PAM", "CUSTOM")),
HIVE_SERVER2_KERBEROS_KEYTAB("hive.server2.authentication.kerberos.keytab", ""),
HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", ""),
HIVE_SERVER2_PLAIN_LDAP_URL("hive.server2.authentication.ldap.url", null),
HIVE_SERVER2_PLAIN_LDAP_BASEDN("hive.server2.authentication.ldap.baseDN", null),
HIVE_SERVER2_PLAIN_LDAP_DOMAIN("hive.server2.authentication.ldap.Domain", null),
HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS("hive.server2.custom.authentication.class", null),
+ // List of the underlying pam services that should be used when auth type is PAM
+ // A file with the same name must exist in /etc/pam.d
+ HIVE_SERVER2_PAM_SERVICES("hive.server2.authentication.pam.services", null),
HIVE_SERVER2_ENABLE_DOAS("hive.server2.enable.doAs", true),
HIVE_SERVER2_TABLE_TYPE_MAPPING("hive.server2.table.type.mapping", "CLASSIC",
new StringsValidator("CLASSIC", "HIVE")),
diff --git a/pom.xml b/pom.xml
index 9aef665..8d4322e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -141,6 +141,7 @@
1.5
2.9.1
3.4.5
+ 1.1
diff --git a/service/pom.xml b/service/pom.xml
index b1002e2..a97577b 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -55,6 +55,11 @@
commons-cli
${commons-cli.version}
+
+ net.sf.jpam
+ jpam
+ ${jpam.version}
+
commons-lang
diff --git a/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java b/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java
index b92fd83..e51d4f4 100644
--- a/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/AuthenticationProviderFactory.java
@@ -23,6 +23,7 @@
public static enum AuthMethods {
LDAP("LDAP"),
+ PAM("PAM"),
CUSTOM("CUSTOM"),
NONE("NONE");
@@ -50,14 +51,20 @@ private AuthenticationProviderFactory () {
}
public static PasswdAuthenticationProvider getAuthenticationProvider(AuthMethods authMethod)
- throws AuthenticationException {
+ throws AuthenticationException {
if (authMethod.equals(AuthMethods.LDAP)) {
return new LdapAuthenticationProviderImpl();
- } else if (authMethod.equals(AuthMethods.CUSTOM)) {
+ }
+ else if (authMethod.equals(AuthMethods.PAM)) {
+ return new PamAuthenticationProviderImpl();
+ }
+ else if (authMethod.equals(AuthMethods.CUSTOM)) {
return new CustomAuthenticationProviderImpl();
- } else if (authMethod.equals(AuthMethods.NONE)) {
+ }
+ else if (authMethod.equals(AuthMethods.NONE)) {
return new AnonymousAuthenticationProviderImpl();
- } else {
+ }
+ else {
throw new AuthenticationException("Unsupported authentication method");
}
}
diff --git a/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java b/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java
new file mode 100644
index 0000000..5e48d13
--- /dev/null
+++ b/service/src/java/org/apache/hive/service/auth/PamAuthenticationProviderImpl.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.auth;
+
+import javax.security.sasl.AuthenticationException;
+
+import net.sf.jpam.Pam;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+
+public class PamAuthenticationProviderImpl implements PasswdAuthenticationProvider {
+
+ private final String pamServiceNames;
+
+ PamAuthenticationProviderImpl () {
+ HiveConf conf = new HiveConf();
+ this.pamServiceNames = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PAM_SERVICES);
+ }
+
+ @Override
+ public void Authenticate(String user, String password)
+ throws AuthenticationException {
+
+ if (pamServiceNames == null || pamServiceNames.trim().isEmpty()) {
+ throw new AuthenticationException("No PAM services are set.");
+ }
+
+ String pamServices[] = pamServiceNames.split(",");
+ for (String pamService : pamServices) {
+ Pam pam = new Pam(pamService);
+ boolean isAuthenticated = pam.authenticateSuccessful(user, password);
+ if (!isAuthenticated) {
+ throw new AuthenticationException("Error authenticating with the PAM service: " + pamService);
+ }
+ }
+ }
+}
\ No newline at end of file