diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index d8f4822..5bb6acc 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -173,7 +173,7 @@ public String getRemoteUser() { public String getIpAddress() { if(saslServer != null && saslServer.getRemoteAddress() != null) { - return saslServer.getRemoteAddress().toString(); + return saslServer.getRemoteAddress().getHostAddress(); } else { return null; } diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java index 046e4d9..5c87bcb 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java @@ -201,16 +201,31 @@ public TOpenSessionResp OpenSession(TOpenSessionReq req) throws TException { } private String getIpAddress() { - if (hiveAuthFactory != null) { - return hiveAuthFactory.getIpAddress(); + String clientIpAddress; + // Http transport mode. + // We set the thread local ip address, in ThriftHttpServlet. + if (cliService.getHiveConf().getVar( + ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) { + clientIpAddress = SessionManager.getIpAddress(); } - return TSetIpAddressProcessor.getUserIpAddress(); + else { + // Kerberos + if (isKerberosAuthMode()) { + clientIpAddress = hiveAuthFactory.getIpAddress(); + } + // Except kerberos, NOSASL + else { + clientIpAddress = TSetIpAddressProcessor.getUserIpAddress(); + } + } + LOG.debug("Client's IP Address: " + clientIpAddress); + return clientIpAddress; } private String getUserName(TOpenSessionReq req) throws HiveSQLException { String userName = null; // Kerberos - if (hiveAuthFactory != null) { + if (isKerberosAuthMode()) { userName = hiveAuthFactory.getRemoteUser(); } // Except kerberos, NOSASL @@ -539,9 +554,14 @@ public TFetchResultsResp FetchResults(TFetchResultsReq req) throws TException { */ private String getProxyUser(String realUser, Map sessionConf, String ipAddress) throws HiveSQLException { - - String proxyUser = SessionManager.getProxyUserName(); - LOG.debug("Proxy user from query string: " + proxyUser); + String proxyUser = null; + // Http transport mode. + // We set the thread local proxy username, in ThriftHttpServlet. + if (cliService.getHiveConf().getVar( + ConfVars.HIVE_SERVER2_TRANSPORT_MODE).equalsIgnoreCase("http")) { + proxyUser = SessionManager.getProxyUserName(); + LOG.debug("Proxy user from query string: " + proxyUser); + } if (proxyUser == null && sessionConf != null && sessionConf.containsKey(HiveAuthFactory.HS2_PROXY_USER)) { String proxyUserFromThriftBody = sessionConf.get(HiveAuthFactory.HS2_PROXY_USER); @@ -570,5 +590,10 @@ private String getProxyUser(String realUser, Map sessionConf, return proxyUser; } + private boolean isKerberosAuthMode() { + return cliService.getHiveConf().getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION) + .equals(HiveAuthFactory.AuthTypes.KERBEROS.toString()); + } + } diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index 2bda9a4..99ef8bc 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -20,7 +20,6 @@ import java.io.IOException; import java.security.PrivilegedExceptionAction; - import java.util.Map; import java.util.Set; @@ -75,6 +74,7 @@ public ThriftHttpServlet(TProcessor processor, TProtocolFactory protocolFactory, protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String clientUserName; + String clientIpAddress; try { // For a kerberos setup if(isKerberosAuthMode(authType)) { @@ -83,16 +83,19 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) if (doAsQueryParam != null) { SessionManager.setProxyUserName(doAsQueryParam); } - } else { clientUserName = doPasswdAuth(request, authType); } - - LOG.info("Client username: " + clientUserName); - + LOG.debug("Client username: " + clientUserName); // Set the thread local username to be used for doAs if true SessionManager.setUserName(clientUserName); + + clientIpAddress = request.getRemoteAddr(); + LOG.debug("Client IP Address: " + clientIpAddress); + // Set the thread local ip address + SessionManager.setIpAddress(clientIpAddress); + super.doPost(request, response); } catch (HttpAuthenticationException e) { @@ -105,8 +108,9 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) response.getWriter().println("Authentication Error: " + e.getMessage()); } finally { - // Clear the thread local username since we set it in each http request + // Clear the thread locals SessionManager.clearUserName(); + SessionManager.clearIpAddress(); SessionManager.clearProxyUserName(); } }