diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index 2b37659..cb01cfd 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -154,16 +154,6 @@ private String getHttpPath(String httpPath) { private static void verifyHttpConfiguration(HiveConf hiveConf) { String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION); - // Error out if LDAP auth mode is being used, it is not supported - if(authType.equalsIgnoreCase(AuthTypes.LDAP.toString()) || - authType.equalsIgnoreCase(AuthTypes.CUSTOM.toString())) { - String msg = ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting of " + - authType + " is currently not supported with " + - ConfVars.HIVE_SERVER2_TRANSPORT_MODE + " setting of http"; - LOG.fatal(msg); - throw new RuntimeException(msg); - } - // Error out if KERBEROS auth mode is being used and use SSL is also set to true if(authType.equalsIgnoreCase(AuthTypes.KERBEROS.toString()) && hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL)) { diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index 1389b6b..ff64e51 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -30,9 +30,12 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hive.service.auth.AuthenticationProviderFactory; +import org.apache.hive.service.auth.AuthenticationProviderFactory.AuthMethods; import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.auth.HttpAuthUtils; import org.apache.hive.service.auth.HttpAuthenticationException; +import org.apache.hive.service.auth.PasswdAuthenticationProvider; import org.apache.hive.service.cli.session.SessionManager; import org.apache.thrift.TProcessor; import org.apache.thrift.protocol.TProtocolFactory; @@ -77,6 +80,9 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) if(isKerberosAuthMode(authType)) { doKerberosAuth(request); } + else { + doPasswdAuth(request, authType); + } logRequestHeader(request, authType); super.doPost(request, response); @@ -109,6 +115,28 @@ private void verifyAuthHeader(HttpServletRequest request) } /** + * Do the LDAP/PAM authentication + * @param request + * @param authType + * @throws HttpAuthenticationException + */ + private void doPasswdAuth(HttpServletRequest request, String authType) + throws HttpAuthenticationException { + // No-op when authType is NOSASL + if (!authType.equalsIgnoreCase(HiveAuthFactory.AuthTypes.NOSASL.toString())) { + try { + AuthMethods authMethod = AuthMethods.getValidAuthMethod(authType); + PasswdAuthenticationProvider provider = + AuthenticationProviderFactory.getAuthenticationProvider(authMethod); + provider.Authenticate(getUsername(request, authType), + getPassToken(request, authType)); + } catch (Exception e) { + throw new HttpAuthenticationException(e); + } + } + } + + /** * Do the GSS-API kerberos authentication. * We already have a logged in subject in the form of serviceUGI, * which GSS-API will extract information from.