diff --git hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java index d47f97e..8966897 100644 --- hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java +++ hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java @@ -121,9 +121,9 @@ public void addArgs(List args) { if (isEnabled) { args.add("-D"); args.add("hive.metastore.token.signature=" + getHcatServiceStr()); - args.add("-D"); - args.add("proxy.user.name=" + user); } + args.add("-D"); + args.add("proxy.user.name=" + user); } class TokenWrapper { @@ -140,6 +140,7 @@ public void addArgs(List args) { ugi.doAs(new PrivilegedExceptionAction() { public Object run() throws IOException { FileSystem fs = FileSystem.get(conf); + //todo: according to JavaDoc this seems like private API: addDelegationToken should be used twrapper.token = fs.getDelegationToken(ugi.getShortUserName()); return null; } diff --git shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java index 606f973..f3e5a31 100644 --- shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java +++ shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java @@ -445,6 +445,14 @@ public void prepareJobOutput(JobConf conf) { @Override public UserGroupInformation getUGIForConf(Configuration conf) throws IOException { + String doAs = conf.get("proxy.user.name"); + if(doAs != null && doAs.length() > 0) { + /*this allows doAs (proxy user) to be passed along across process boundary where + * delegation tokens are not supported. For example, a DDL stmt via WebHCat with + * a doAs parameter, forks to 'hcat' which needs to start a Session that + * proxies the end user*/ + return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser()); + } return UserGroupInformation.getCurrentUser(); }