Index: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java =================================================================== --- jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (revision 1574208) +++ jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (working copy) @@ -88,6 +88,8 @@ private static final String HIVE_AUTH_USER = "user"; private static final String HIVE_AUTH_PRINCIPAL = "principal"; private static final String HIVE_AUTH_PASSWD = "password"; + private static final String HIVE_AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType"; + private static final String HIVE_AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject"; private static final String HIVE_ANONYMOUS_USER = "anonymous"; private static final String HIVE_ANONYMOUS_PASSWD = "anonymous"; private static final String HIVE_USE_SSL = "ssl"; @@ -277,9 +279,10 @@ } saslProps.put(Sasl.QOP, saslQOP.toString()); saslProps.put(Sasl.SERVER_AUTH, "true"); + boolean assumeSubject = HIVE_AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT.equals(sessConfMap.get(HIVE_AUTH_KERBEROS_AUTH_TYPE)); transport = KerberosSaslHelper.getKerberosTransport( sessConfMap.get(HIVE_AUTH_PRINCIPAL), host, - HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps); + HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps, assumeSubject); } else { String userName = sessConfMap.get(HIVE_AUTH_USER); if ((userName == null) || userName.isEmpty()) { Index: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java =================================================================== --- service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java (revision 1574208) +++ service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java (working copy) @@ -30,6 +30,7 @@ import org.apache.hive.service.cli.thrift.ThriftCLIService; import org.apache.thrift.TProcessor; import org.apache.thrift.TProcessorFactory; +import org.apache.thrift.transport.TSaslClientTransport; import org.apache.thrift.transport.TTransport; public class KerberosSaslHelper { @@ -57,7 +58,7 @@ } public static TTransport getKerberosTransport(String principal, String host, - final TTransport underlyingTransport, Map saslProps) throws SaslException { + final TTransport underlyingTransport, Map saslProps, boolean assumeSubject) throws SaslException { try { final String names[] = principal.split("[/@]"); if (names.length != 3) { @@ -65,14 +66,29 @@ + principal); } - HadoopThriftAuthBridge.Client authBridge = - ShimLoader.getHadoopThriftAuthBridge().createClientWithConf("kerberos"); - return authBridge.createClientTransport(principal, host, + if (assumeSubject) { + return createSubjectAssumedTransport(principal, underlyingTransport, saslProps); + } else { + HadoopThriftAuthBridge.Client authBridge = + ShimLoader.getHadoopThriftAuthBridge().createClientWithConf("kerberos"); + return authBridge.createClientTransport(principal, host, "KERBEROS", null, underlyingTransport, saslProps); + } } catch (IOException e) { throw new SaslException("Failed to open client transport", e); } } + public static TTransport createSubjectAssumedTransport(String principal, + TTransport underlyingTransport, Map saslProps) throws IOException { + TTransport saslTransport = null; + final String names[] = principal.split("[/@]"); + try { + saslTransport = new TSaslClientTransport("GSSAPI", null, names[0], names[1], saslProps, null, underlyingTransport); + return new TSubjectAssumingTransport(saslTransport); + } catch (SaslException se) { + throw new IOException("Could not instantiate SASL transport", se); + } + } } Index: service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java =================================================================== --- service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java (revision 0) +++ service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java (working copy) @@ -0,0 +1,72 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hive.service.auth; + +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; + +import javax.security.auth.Subject; + +import org.apache.hadoop.hive.thrift.TFilterTransport; +import org.apache.thrift.transport.TTransport; +import org.apache.thrift.transport.TTransportException; + +/** + * + * This is used on the client side, where the API explicitly opens a transport to + * the server using the Subject.doAs() + */ + public class TSubjectAssumingTransport extends TFilterTransport { + + public TSubjectAssumingTransport(TTransport wrapped) { + super(wrapped); + } + + @Override + public void open() throws TTransportException { + try { + AccessControlContext context = AccessController.getContext(); + Subject subject = Subject.getSubject(context); + Subject.doAs(subject, new PrivilegedExceptionAction() { + public Void run() { + try { + wrapped.open(); + } catch (TTransportException tte) { + // Wrap the transport exception in an RTE, since Subject.doAs() then goes + // and unwraps this for us out of the doAs block. We then unwrap one + // more time in our catch clause to get back the TTE. (ugh) + throw new RuntimeException(tte); + } + return null; + } + }); + } catch (PrivilegedActionException ioe) { + throw new RuntimeException("Received an ioe we never threw!", ioe); + } catch (RuntimeException rte) { + if (rte.getCause() instanceof TTransportException) { + throw (TTransportException)rte.getCause(); + } else { + throw rte; + } + } + } + + }