diff --git hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java index d47f97e..8966897 100644 --- hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java +++ hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/SecureProxySupport.java @@ -121,9 +121,9 @@ public void addArgs(List args) { if (isEnabled) { args.add("-D"); args.add("hive.metastore.token.signature=" + getHcatServiceStr()); - args.add("-D"); - args.add("proxy.user.name=" + user); } + args.add("-D"); + args.add("proxy.user.name=" + user); } class TokenWrapper { @@ -140,6 +140,7 @@ public void addArgs(List args) { ugi.doAs(new PrivilegedExceptionAction() { public Object run() throws IOException { FileSystem fs = FileSystem.get(conf); + //todo: according to JavaDoc this seems like private API: addDelegationToken should be used twrapper.token = fs.getDelegationToken(ugi.getShortUserName()); return null; } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java index 7c89f96..95a98fe 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/ProxyUserAuthenticator.java @@ -30,6 +30,8 @@ * but honours a proxy config setting proxy.user.name instead of the * current user if set. This allows server processes like webhcat which * proxy other users to easily specify an override if allowed. + * + * It is no longer necessary to use this class with WebHCat as of Hive 0.14. */ public class ProxyUserAuthenticator extends HadoopDefaultAuthenticator { diff --git shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java index 606f973..eb4a1ea 100644 --- shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java +++ shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java @@ -445,6 +445,16 @@ public void prepareJobOutput(JobConf conf) { @Override public UserGroupInformation getUGIForConf(Configuration conf) throws IOException { + String doAs = conf.get("proxy.user.name"); + if(doAs != null && doAs.length() > 0) { + /* + * this allows doAs (proxy user) to be passed along across process boundary where + * delegation tokens are not supported. For example, a DDL stmt via WebHCat with + * a doAs parameter, forks to 'hcat' which needs to start a Session that + * proxies the end user + */ + return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser()); + } return UserGroupInformation.getCurrentUser(); }