diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index e298016..a8815c4 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -161,7 +161,7 @@ public String getRemoteUser() { } public String getIpAddress() { - return saslServer != null ? saslServer.getRemoteAddress().toString() : null; + return saslServer != null ? saslServer.getRemoteAddress().getHostAddress() : null; } // Perform kerberos login using the hadoop shim API if the configuration is available diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java index 9e09c4f..40402c5 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java @@ -203,16 +203,31 @@ public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException { } private String getIpAddress() { - if (hiveAuthFactory != null) { - return hiveAuthFactory.getIpAddress(); + String clientIpAddress; + // Http transport mode. + // We set the thread local ip address, in ThriftHttpServlet. + if (cliService.getHiveConf().getVar( + ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) { + clientIpAddress = SessionManager.getIpAddress(); } - return TSetIpAddressProcessor.getUserIpAddress(); + else { + // Kerberos + if (isKerberosAuthMode()) { + clientIpAddress = hiveAuthFactory.getIpAddress(); + } + // Except kerberos, NOSASL + else { + clientIpAddress = TSetIpAddressProcessor.getUserIpAddress(); + } + } + LOG.info("Client's IP Address: " + clientIpAddress); + return clientIpAddress; } private String getUserName(TOpenSessionReq req) throws HiveSQLException { String userName = null; // Kerberos - if (hiveAuthFactory != null) { + if (isKerberosAuthMode()) { userName = hiveAuthFactory.getRemoteUser(); } // Except kerberos, NOSASL @@ -541,9 +556,14 @@ public TFetchResultsResp FetchResults(TFetchResultsReq req) throws TException { */ private String getProxyUser(String realUser, Map sessionConf, String ipAddress) throws HiveSQLException { - - String proxyUser = SessionManager.getProxyUserName(); - LOG.debug("Proxy user from query string: " + proxyUser); + String proxyUser = null; + // Http transport mode. + // We set the thread local proxy username, in ThriftHttpServlet. + if (cliService.getHiveConf().getVar( + ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) { + proxyUser = SessionManager.getProxyUserName(); + LOG.debug("Proxy user from query string: " + proxyUser); + } if (proxyUser == null && sessionConf != null && sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) { String proxyUserFromThriftBody = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER); @@ -565,12 +585,17 @@ private String getProxyUser(String realUser, Map sessionConf, equalsIgnoreCase(hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION))) { return proxyUser; } - + // Verify proxy user privilege of the realUser for the proxyUser - HiveAuthFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hiveConf); + HiveAuthFactory.verifyProxyAccess(realUser, proxyUser, "172.18.146.124", hiveConf); LOG.debug("Verified proxy user: " + proxyUser); return proxyUser; } + + private boolean isKerberosAuthMode() { + return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION) + .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString()); + } } diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index 2bda9a4..60b1ab2 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -75,6 +75,7 @@ public ThriftHttpServlet(TProcessor processor, TProtocolFactory protocolFactory, protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String clientUserName; + String clientIpAddress; try { // For a kerberos setup if(isKerberosAuthMode(authType)) { @@ -83,16 +84,19 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) if (doAsQueryParam != null) { SessionManager.setProxyUserName(doAsQueryParam); } - } else { clientUserName = doPasswdAuth(request, authType); } - LOG.info("Client username: " + clientUserName); - // Set the thread local username to be used for doAs if true SessionManager.setUserName(clientUserName); + + clientIpAddress = request.getLocalAddr(); + LOG.info("Client IP Address: " + clientIpAddress); + // Set the thread local ip address + SessionManager.setIpAddress(clientIpAddress); + super.doPost(request, response); } catch (HttpAuthenticationException e) { @@ -105,8 +109,9 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) response.getWriter().println("Authentication Error: " + e.getMessage()); } finally { - // Clear the thread local username since we set it in each http request + // Clear the thread locals SessionManager.clearUserName(); + SessionManager.clearIpAddress(); SessionManager.clearProxyUserName(); } }