diff --git a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java b/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java index 57fda94..43f92a3 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/service/cli/thrift/TestThriftHttpCLIService.java @@ -24,7 +24,6 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hive.jdbc.HttpBasicAuthInterceptor; import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; -import org.apache.hive.service.server.HiveServer2; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.thrift.transport.THttpClient; import org.apache.thrift.transport.TTransport; @@ -170,40 +169,6 @@ public void testIncorrectHttpPath() throws Exception { } } - - private void testWithAuthMode(AuthTypes authType) throws Exception { - // Stop and restart HiveServer2 in given incorrect auth mode - stopHiveServer2(); - hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, authType.toString()); - hiveServer2 = new HiveServer2(); - // HiveServer2 in Http mode will not start using KERBEROS/LDAP/CUSTOM auth types - startHiveServer2WithConf(hiveConf); - - // This will throw an expected exception since Http server is not running - testOpenSessionExpectedException(); - - // Stop and restart back with the original config - stopHiveServer2(); - hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, AuthTypes.NOSASL.toString()); - hiveServer2 = new HiveServer2(); - startHiveServer2WithConf(hiveConf); - } - - @Test - public void testKerberosMode() throws Exception { - testWithAuthMode(AuthTypes.KERBEROS); - } - - @Test - public void testLDAPMode() throws Exception { - testWithAuthMode(AuthTypes.LDAP); - } - - @Test - public void testCustomMode() throws Exception { - testWithAuthMode(AuthTypes.CUSTOM); - } - private static TTransport createHttpTransport() throws Exception { DefaultHttpClient httpClient = new DefaultHttpClient(); String httpUrl = transportMode + "://" + host + ":" + port + diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java index f909c96..466c20d 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java @@ -46,7 +46,6 @@ import java.util.concurrent.Executor; import java.util.concurrent.TimeUnit; -import javax.net.ssl.SSLContext; import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; @@ -68,10 +67,9 @@ import org.apache.hive.service.cli.thrift.TProtocolVersion; import org.apache.hive.service.cli.thrift.TSessionHandle; import org.apache.http.HttpRequestInterceptor; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.SSLContexts; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; +import org.apache.http.conn.scheme.Scheme; +import org.apache.http.conn.ssl.SSLSocketFactory; +import org.apache.http.impl.client.DefaultHttpClient; import org.apache.thrift.TException; import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.transport.THttpClient; @@ -190,8 +188,25 @@ private void openTransport() throws SQLException { } } + private String getServerHttpUrl(boolean useSsl) { + // Create the http/https url + // JDBC driver will set up an https url if ssl is enabled, otherwise http + String schemeName = useSsl ? "https" : "http"; + // http path should begin with "/" + String httpPath; + httpPath = hiveConfMap.get( + HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_PATH.varname); + if(httpPath == null) { + httpPath = "/"; + } + else if(!httpPath.startsWith("/")) { + httpPath = "/" + httpPath; + } + return schemeName + "://" + host + ":" + port + httpPath; + } + private TTransport createHttpTransport() throws SQLException { - CloseableHttpClient httpClient; + DefaultHttpClient httpClient; boolean useSsl = isSslConnection(); @@ -215,24 +230,10 @@ private TTransport createHttpTransport() throws SQLException { return transport; } - private String getServerHttpUrl(boolean useSsl) { - // Create the http/https url - // JDBC driver will set up an https url if ssl is enabled, otherwise http - String schemeName = useSsl ? "https" : "http"; - // http path should begin with "/" - String httpPath; - httpPath = hiveConfMap.get( - HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_PATH.varname); - if(httpPath == null) { - httpPath = "/"; - } - else if(!httpPath.startsWith("/")) { - httpPath = "/" + httpPath; - } - return schemeName + "://" + host + ":" + port + httpPath; - } + private DefaultHttpClient getHttpClient(Boolean useSsl) throws SQLException { + DefaultHttpClient httpClient = new DefaultHttpClient(); + HttpRequestInterceptor requestInterceptor; - private CloseableHttpClient getHttpClient(Boolean useSsl) throws SQLException { // If Kerberos if (isKerberosAuthMode()) { try { @@ -248,10 +249,9 @@ private CloseableHttpClient getHttpClient(Boolean useSsl) throws SQLException { */ String kerberosAuthHeader = HttpAuthUtils.doKerberosAuth( sessConfMap.get(HIVE_AUTH_PRINCIPAL), host, getServerHttpUrl(false)); - HttpKerberosRequestInterceptor kerberosInterceptor = - new HttpKerberosRequestInterceptor(kerberosAuthHeader); - return HttpClients.custom().addInterceptorFirst(kerberosInterceptor).build(); - } catch (Exception e) { + requestInterceptor = new HttpKerberosRequestInterceptor(kerberosAuthHeader); + } + catch (Exception e) { String msg = "Could not create a kerberized http connection to " + jdbcURI + ". " + e.getMessage(); throw new SQLException(msg, " 08S01", e); @@ -259,45 +259,43 @@ private CloseableHttpClient getHttpClient(Boolean useSsl) throws SQLException { } else { /** - * Add an interceptor to pass username/password in the header, - * for basic preemtive http authentication at the server. + * Add an interceptor to pass username/password in the header. * In https mode, the entire information is encrypted */ - HttpRequestInterceptor authInterceptor = new HttpBasicAuthInterceptor( - getUserName(), getPassword()); + requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword()); + // Configure httpClient for SSL if (useSsl) { String sslTrustStorePath = sessConfMap.get(HIVE_SSL_TRUST_STORE); String sslTrustStorePassword = sessConfMap.get( HIVE_SSL_TRUST_STORE_PASSWORD); KeyStore sslTrustStore; - SSLContext sslContext; - if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { - // Create a default client context based on standard JSSE trust material - sslContext = SSLContexts.createDefault(); - } else { - // Pick trust store config from the given path - try { + SSLSocketFactory socketFactory; + + try { + if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { + // Create a default socket factory based on standard JSSE trust material + socketFactory = SSLSocketFactory.getSocketFactory(); + } + else { + // Pick trust store config from the given path sslTrustStore = KeyStore.getInstance(HIVE_SSL_TRUST_STORE_TYPE); sslTrustStore.load(new FileInputStream(sslTrustStorePath), sslTrustStorePassword.toCharArray()); - sslContext = SSLContexts.custom().loadTrustMaterial( - sslTrustStore).build(); - } - catch (Exception e) { - String msg = "Could not create an https connection to " + - jdbcURI + ". " + e.getMessage(); - throw new SQLException(msg, " 08S01", e); + socketFactory = new SSLSocketFactory(sslTrustStore); } + socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); + Scheme sslScheme = new Scheme("https", 443, socketFactory); + httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme); + } + catch (Exception e) { + String msg = "Could not create an https connection to " + + jdbcURI + ". " + e.getMessage(); + throw new SQLException(msg, " 08S01", e); } - return HttpClients.custom().setHostnameVerifier( - SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER).setSslcontext( - sslContext).addInterceptorFirst(authInterceptor).build(); - } - else { - // Create a plain http client - return HttpClients.custom().addInterceptorFirst(authInterceptor).build(); } } + httpClient.addRequestInterceptor(requestInterceptor); + return httpClient; } private TTransport createBinaryTransport() throws SQLException { diff --git a/pom.xml b/pom.xml index 0669728..34b3114 100644 --- a/pom.xml +++ b/pom.xml @@ -102,8 +102,8 @@ 0.96.0-hadoop1 0.96.0-hadoop2 - 4.3.2 - 4.3.1 + 4.2.5 + 4.2.5 1.9.2 0.3.2 5.5.1 diff --git a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java index a5d21de..346338f 100644 --- a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java +++ b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java @@ -53,7 +53,7 @@ public static final String BASIC = "Basic"; public static final String NEGOTIATE = "Negotiate"; - private static class HttpCLIServiceProcessorFactory extends TProcessorFactory { + public static class HttpCLIServiceProcessorFactory extends TProcessorFactory { private final ThriftCLIService service; private final HiveConf hiveConf; private final boolean isDoAsEnabled; diff --git a/service/src/java/org/apache/hive/service/cli/CLIService.java b/service/src/java/org/apache/hive/service/cli/CLIService.java index 67f4410..6654f04 100644 --- a/service/src/java/org/apache/hive/service/cli/CLIService.java +++ b/service/src/java/org/apache/hive/service/cli/CLIService.java @@ -92,8 +92,8 @@ public synchronized void init(HiveConf hiveConf) { } catch (LoginException e) { throw new ServiceException("Unable to login to kerberos with given principal/keytab", e); } - super.init(hiveConf); } + super.init(hiveConf); } public UserGroupInformation getServiceUGI() { diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index cb01cfd..dacd941 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -99,7 +99,6 @@ public void run() { hiveAuthFactory = new HiveAuthFactory(); TProcessorFactory processorFactory = hiveAuthFactory.getAuthProcFactory(this); TProcessor processor = processorFactory.getProcessor(null); - TProtocolFactory protocolFactory = new TBinaryProtocol.Factory(); TServlet thriftHttpServlet = new ThriftHttpServlet(processor, protocolFactory, authType, serviceUGI); diff --git a/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java b/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java index 3b24d4e..21dc63b 100644 --- a/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java +++ b/service/src/test/org/apache/hive/service/cli/thrift/ThriftCLIServiceTest.java @@ -23,23 +23,9 @@ import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; -import java.io.IOException; -import java.util.Collection; - -import javax.security.auth.login.LoginException; - import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.MetaStoreUtils; -import org.apache.hadoop.hive.ql.ErrorMsg; -import org.apache.hive.service.Service; -import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.auth.PlainSaslHelper; -import org.apache.hive.service.cli.CLIService; -import org.apache.hive.service.cli.HiveSQLException; -import org.apache.hive.service.cli.SessionHandle; -import org.apache.hive.service.cli.session.HiveSession; -import org.apache.hive.service.cli.session.SessionManager; import org.apache.hive.service.server.HiveServer2; import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.protocol.TProtocol; @@ -271,7 +257,7 @@ public void testExecuteStatementAsync() throws Exception { // Execute a malformed query // This query will give a runtime error - queryString = "CREATE TABLE NON_EXISTING_TAB (ID STRING) location 'hdfs://fooNN:10000/a/b/c'"; + queryString = "CREATE TABLE NON_EXISTING_TAB (ID STRING) location 'hdfs://localhost:10000/a/b/c'"; System.out.println("Will attempt to execute: " + queryString); execResp = executeQuery(queryString, sessHandle, true); operationHandle = execResp.getOperationHandle(); @@ -338,46 +324,6 @@ protected void testOpenSessionExpectedException() { } /** - * Test setting {@link HiveConf.ConfVars}} config parameter - * HIVE_SERVER2_ENABLE_DOAS for kerberos secure mode - * @throws IOException - * @throws LoginException - * @throws HiveSQLException - */ - @Test - public void testDoAs() throws HiveSQLException, LoginException, IOException { - HiveConf hconf = new HiveConf(); - assertTrue("default value of hive server2 doAs should be true", - hconf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS)); - - hconf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, - HiveAuthFactory.AuthTypes.KERBEROS.toString()); - - CLIService cliService = new CLIService(); - cliService.init(hconf); - ThriftCLIService tcliService = new ThriftBinaryCLIService(cliService); - TOpenSessionReq req = new TOpenSessionReq(); - TOpenSessionResp res = new TOpenSessionResp(); - req.setUsername("testuser1"); - SessionHandle sHandle = tcliService.getSessionHandle(req, res); - SessionManager sManager = getSessionManager(cliService.getServices()); - HiveSession session = sManager.getSession(sHandle); - - //Proxy class for doing doAs on all calls is used when doAs is enabled - // and kerberos security is on - assertTrue("check if session class is a proxy", session instanceof java.lang.reflect.Proxy); - } - - private SessionManager getSessionManager(Collection services) { - for(Service s : services){ - if(s instanceof SessionManager){ - return (SessionManager)s; - } - } - return null; - } - - /** * @throws java.lang.Exception */ @Before