From dc76b432400e7a9baac04ece1e7d8c3e495b961a Mon Sep 17 00:00:00 2001 From: Dilli Dorai Arumugam Date: Wed, 1 Oct 2014 14:08:36 -0700 Subject: [PATCH] HIVE-6799: HiveServer2 needs to map kerberos name to local name before proxy check --- .../src/java/org/apache/hive/service/auth/HiveAuthFactory.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index a0f7667..a98825a 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -23,6 +23,7 @@ import java.net.UnknownHostException; import java.util.HashMap; import java.util.Map; + import javax.security.auth.login.LoginException; import javax.security.sasl.Sasl; @@ -31,6 +32,7 @@ import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.thrift.ThriftCLIService; import org.apache.thrift.TProcessorFactory; @@ -287,7 +289,9 @@ public static void verifyProxyAccess(String realUser, String proxyUser, String i try { UserGroupInformation sessionUgi; if (ShimLoader.getHadoopShims().isSecurityEnabled()) { - sessionUgi = ShimLoader.getHadoopShims().createProxyUser(realUser); + KerberosName kerbName = new KerberosName(realUser); + String shortPrincipalName = kerbName.getServiceName(); + sessionUgi = ShimLoader.getHadoopShims().createProxyUser(shortPrincipalName); } else { sessionUgi = ShimLoader.getHadoopShims().createRemoteUser(realUser, null); } @@ -300,5 +304,5 @@ public static void verifyProxyAccess(String realUser, String proxyUser, String i "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, e); } } - + } -- 1.7.12.4 (Apple Git-37)