diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java index e4ec0c6..d71bde3 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java @@ -258,15 +258,12 @@ private DefaultHttpClient getHttpClient(Boolean useSsl) throws SQLException { HttpRequestInterceptor requestInterceptor; // If Kerberos if (isKerberosAuthMode()) { - if (useSsl) { - String msg = "SSL encryption is currently not supported with " + - "kerberos authentication"; - throw new SQLException(msg, " 08S01"); - } /** * Add an interceptor which sets the appropriate header in the request. * It does the kerberos authentication and get the final service ticket, * for sending to the server before every request. + * In https mode, the entire information is encrypted + * TODO: Optimize this with a mix of kerberos + using cookie. */ requestInterceptor = new HttpKerberosRequestInterceptor( sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, getServerHttpUrl(false)); @@ -277,46 +274,46 @@ private DefaultHttpClient getHttpClient(Boolean useSsl) throws SQLException { * In https mode, the entire information is encrypted */ requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword()); - // Configure httpClient for SSL - if (useSsl) { - String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE); - String sslTrustStorePassword = sessConfMap.get( - JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD); - KeyStore sslTrustStore; - SSLSocketFactory socketFactory; - /** - * The code within the try block throws: - * 1. SSLInitializationException - * 2. KeyStoreException - * 3. IOException - * 4. NoSuchAlgorithmException - * 5. CertificateException - * 6. KeyManagementException - * 7. UnrecoverableKeyException - * We don't want the client to retry on any of these, hence we catch all - * and throw a SQLException. - */ - try { - if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { - // Create a default socket factory based on standard JSSE trust material - socketFactory = SSLSocketFactory.getSocketFactory(); - } - else { - // Pick trust store config from the given path - sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE); - sslTrustStore.load(new FileInputStream(sslTrustStorePath), - sslTrustStorePassword.toCharArray()); - socketFactory = new SSLSocketFactory(sslTrustStore); - } - socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); - Scheme sslScheme = new Scheme("https", 443, socketFactory); - httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme); + } + // Configure httpClient for SSL + if (useSsl) { + String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE); + String sslTrustStorePassword = sessConfMap.get( + JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD); + KeyStore sslTrustStore; + SSLSocketFactory socketFactory; + /** + * The code within the try block throws: + * 1. SSLInitializationException + * 2. KeyStoreException + * 3. IOException + * 4. NoSuchAlgorithmException + * 5. CertificateException + * 6. KeyManagementException + * 7. UnrecoverableKeyException + * We don't want the client to retry on any of these, hence we catch all + * and throw a SQLException. + */ + try { + if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { + // Create a default socket factory based on standard JSSE trust material + socketFactory = SSLSocketFactory.getSocketFactory(); } - catch (Exception e) { - String msg = "Could not create an https connection to " + - jdbcUriString + ". " + e.getMessage(); - throw new SQLException(msg, " 08S01", e); + else { + // Pick trust store config from the given path + sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE); + sslTrustStore.load(new FileInputStream(sslTrustStorePath), + sslTrustStorePassword.toCharArray()); + socketFactory = new SSLSocketFactory(sslTrustStore); } + socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); + Scheme sslScheme = new Scheme("https", 443, socketFactory); + httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme); + } + catch (Exception e) { + String msg = "Could not create an https connection to " + + jdbcUriString + ". " + e.getMessage(); + throw new SQLException(msg, " 08S01", e); } } httpClient.addRequestInterceptor(requestInterceptor); diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index cfa7284..f7b1648 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -29,12 +29,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.Shell; import org.apache.hive.service.auth.HiveAuthFactory; -import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; import org.apache.hive.service.cli.CLIService; import org.apache.hive.service.cli.thrift.TCLIService.Iface; import org.apache.hive.service.server.ThreadFactoryWithGarbageCleanup; import org.apache.thrift.TProcessor; -import org.apache.thrift.TProcessorFactory; import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.protocol.TProtocolFactory; import org.apache.thrift.server.TServlet; @@ -60,9 +58,6 @@ public ThriftHttpCLIService(CLIService cliService) { @Override public void run() { try { - // Verify config validity - verifyHttpConfiguration(hiveConf); - // HTTP Server httpServer = new org.eclipse.jetty.server.Server(); @@ -162,32 +157,4 @@ private String getHttpPath(String httpPath) { } return httpPath; } - - /** - * Verify that this configuration is supported by transportMode of HTTP - * @param hiveConf - */ - private static void verifyHttpConfiguration(HiveConf hiveConf) { - String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION); - - // Error out if KERBEROS auth mode is being used and use SSL is also set to true - if(authType.equalsIgnoreCase(AuthTypes.KERBEROS.toString()) && - hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL)) { - String msg = ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting of " + - authType + " is not supported with " + - ConfVars.HIVE_SERVER2_USE_SSL + " set to true"; - LOG.fatal(msg); - throw new RuntimeException(msg); - } - - // Warn that SASL is not used in http mode - if(authType.equalsIgnoreCase(AuthTypes.NONE.toString())) { - // NONE in case of thrift mode uses SASL - LOG.warn(ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting to " + - authType + ". SASL is not supported with http transport mode," + - " so using equivalent of " - + AuthTypes.NOSASL); - } - } - }