diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index a0f7667..dd0d7bd 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -136,15 +136,17 @@ public TTransportFactory getAuthTransFactory() throws LoginException { return transportFactory; } + /** + * Returns the thrift processor factory for HiveServer2 running in binary mode + * @param service + * @return + * @throws LoginException + */ public TProcessorFactory getAuthProcFactory(ThriftCLIService service) throws LoginException { - if ("http".equalsIgnoreCase(transportMode)) { - return HttpAuthUtils.getAuthProcFactory(service); + if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) { + return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service); } else { - if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) { - return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service); - } else { - return PlainSaslHelper.getPlainProcessorFactory(service); - } + return PlainSaslHelper.getPlainProcessorFactory(service); } } diff --git a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java index 07e8c9a..10b6c79 100644 --- a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java +++ b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java @@ -22,17 +22,10 @@ import java.security.PrivilegedExceptionAction; import org.apache.commons.codec.binary.Base64; -import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hive.service.cli.thrift.TCLIService; -import org.apache.hive.service.cli.thrift.TCLIService.Iface; -import org.apache.hive.service.cli.thrift.ThriftCLIService; import org.apache.http.protocol.BasicHttpContext; import org.apache.http.protocol.HttpContext; -import org.apache.thrift.TProcessor; -import org.apache.thrift.TProcessorFactory; -import org.apache.thrift.transport.TTransport; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSManager; @@ -48,11 +41,7 @@ public static final String AUTHORIZATION = "Authorization"; public static final String BASIC = "Basic"; public static final String NEGOTIATE = "Negotiate"; - - public static TProcessorFactory getAuthProcFactory(ThriftCLIService service) { - return new HttpCLIServiceProcessorFactory(service); - } - + /** * @return Stringified Base64 encoded kerberosAuthHeader on success */ @@ -87,26 +76,6 @@ private HttpAuthUtils() { throw new UnsupportedOperationException("Can't initialize class"); } - public static class HttpCLIServiceProcessorFactory extends TProcessorFactory { - - private final ThriftCLIService service; - private final HiveConf hiveConf; - private final boolean isDoAsEnabled; - - public HttpCLIServiceProcessorFactory(ThriftCLIService service) { - super(null); - this.service = service; - hiveConf = service.getHiveConf(); - isDoAsEnabled = hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS); - } - - @Override - public TProcessor getProcessor(TTransport trans) { - TProcessor baseProcessor = new TCLIService.Processor(service); - return isDoAsEnabled ? new HttpCLIServiceUGIProcessor(baseProcessor) : baseProcessor; - } - } - public static class HttpKerberosClientAction implements PrivilegedExceptionAction { public static final String HTTP_RESPONSE = "HTTP_RESPONSE"; diff --git a/service/src/java/org/apache/hive/service/auth/HttpCLIServiceUGIProcessor.java b/service/src/java/org/apache/hive/service/auth/HttpCLIServiceUGIProcessor.java deleted file mode 100644 index 245d793..0000000 --- a/service/src/java/org/apache/hive/service/auth/HttpCLIServiceUGIProcessor.java +++ /dev/null @@ -1,79 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hive.service.auth; - -import java.io.IOException; -import java.security.PrivilegedExceptionAction; -import java.util.ArrayList; - -import org.apache.hadoop.hive.shims.HadoopShims; -import org.apache.hadoop.hive.shims.ShimLoader; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hive.service.cli.session.SessionManager; -import org.apache.thrift.TException; -import org.apache.thrift.TProcessor; -import org.apache.thrift.protocol.TProtocol; - -/** - * Wraps the underlying Thrift processor's process call, - * to assume the client user's UGI/Subject for the doAs calls. - * Gets the client's username from a ThreadLocal in SessionManager which is - * set in the ThriftHttpServlet, and constructs a client UGI object from that. - */ -public class HttpCLIServiceUGIProcessor implements TProcessor { - - private final TProcessor underlyingProcessor; - private final HadoopShims shim; - - public HttpCLIServiceUGIProcessor(TProcessor underlyingProcessor) { - this.underlyingProcessor = underlyingProcessor; - shim = ShimLoader.getHadoopShims(); - } - - @Override - public boolean process(final TProtocol in, final TProtocol out) throws TException { - /* - * Build the client UGI from ThreadLocal username [SessionManager.getUserName()]. - * The ThreadLocal username is set in the ThriftHttpServlet. - */ - try { - UserGroupInformation clientUgi = - shim.createRemoteUser(SessionManager.getUserName(), new ArrayList()); - return shim.doAs(clientUgi, new PrivilegedExceptionAction() { - @Override - public Boolean run() { - try { - return underlyingProcessor.process(in, out); - } catch (TException te) { - throw new RuntimeException(te); - } - } - }); - } catch (RuntimeException rte) { - if (rte.getCause() instanceof TException) { - throw (TException) rte.getCause(); - } - throw rte; - } catch (InterruptedException ie) { - throw new RuntimeException(ie); // unexpected! - } catch (IOException ioe) { - throw new RuntimeException(ioe); // unexpected! - } - } -} diff --git a/service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java b/service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java index 0149dcf..645e3e2 100644 --- a/service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java +++ b/service/src/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java @@ -18,7 +18,6 @@ package org.apache.hive.service.auth; -import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore.Processor; import org.apache.hive.service.cli.thrift.TCLIService; import org.apache.hive.service.cli.thrift.TCLIService.Iface; import org.apache.thrift.TException; @@ -43,7 +42,7 @@ */ public class TSetIpAddressProcessor extends TCLIService.Processor { - private static final Logger LOGGER = LoggerFactory.getLogger(Processor.class.getName()); + private static final Logger LOGGER = LoggerFactory.getLogger(TSetIpAddressProcessor.class.getName()); public TSetIpAddressProcessor(Iface iface) { super(iface); diff --git a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java index 4654acc..ecc9b96 100644 --- a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java +++ b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java @@ -229,6 +229,23 @@ public SessionHandle openSession(TProtocolVersion protocol, String username, Str return openSession(protocol, username, password, ipAddress, sessionConf, false, null); } + /** + * Opens a new session and creates a session handle. + * The username passed to this method is the effective username. + * If withImpersonation is true (==doAs true) we wrap all the calls in HiveSession + * within a UGI.doAs, where UGI corresponds to the effective user. + * @see org.apache.hive.service.cli.thrift.ThriftCLIService#getUserName() + * + * @param protocol + * @param username + * @param password + * @param ipAddress + * @param sessionConf + * @param withImpersonation + * @param delegationToken + * @return + * @throws HiveSQLException + */ public SessionHandle openSession(TProtocolVersion protocol, String username, String password, String ipAddress, Map sessionConf, boolean withImpersonation, String delegationToken) throws HiveSQLException { diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java index c4b273c..4a1e004 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java @@ -262,6 +262,16 @@ private String getIpAddress() { return clientIpAddress; } + /** + * Returns the effective username. + * 1. If hive.server2.allow.user.substitution = false: the username of the connecting user + * 2. If hive.server2.allow.user.substitution = true: the username of the end user, + * that the connecting user is trying to proxy for. + * This includes a check whether the connecting user is allowed to proxy for the end user. + * @param req + * @return + * @throws HiveSQLException + */ private String getUserName(TOpenSessionReq req) throws HiveSQLException { String userName = null; // Kerberos diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index 795115e..cfa7284 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -31,6 +31,7 @@ import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; import org.apache.hive.service.cli.CLIService; +import org.apache.hive.service.cli.thrift.TCLIService.Iface; import org.apache.hive.service.server.ThreadFactoryWithGarbageCleanup; import org.apache.thrift.TProcessor; import org.apache.thrift.TProcessorFactory; @@ -102,8 +103,7 @@ public void run() { // Thrift configs hiveAuthFactory = new HiveAuthFactory(hiveConf); - TProcessorFactory processorFactory = hiveAuthFactory.getAuthProcFactory(this); - TProcessor processor = processorFactory.getProcessor(null); + TProcessor processor = new TCLIService.Processor(this); TProtocolFactory protocolFactory = new TBinaryProtocol.Factory(); // Set during the init phase of HiveServer2 if auth mode is kerberos // UGI for the hive/_HOST (kerberos) principal