diff --git shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java index 8a4786c..cf739bb 100644 --- shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java +++ shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java @@ -359,14 +359,14 @@ public TTransportFactory createTransportFactory(Map saslProps) } TSaslServerTransport.Factory transFactory = new TSaslServerTransport.Factory(); + CallbackHandler callBackHandler = new SaslDigestCallbackHandler(secretManager); transFactory.addServerDefinition( AuthMethod.KERBEROS.getMechanismName(), names[0], names[1], // two parts of kerberos principal - saslProps, - new SaslRpcServer.SaslGssCallbackHandler()); + saslProps, callBackHandler); transFactory.addServerDefinition(AuthMethod.DIGEST.getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM, - saslProps, new SaslDigestCallbackHandler(secretManager)); + saslProps, callBackHandler); return transFactory; } @@ -435,10 +435,12 @@ public String getRemoteUser() { /** CallbackHandler for SASL DIGEST-MD5 mechanism */ // This code is pretty much completely based on Hadoop's - // SaslRpcServer.SaslDigestCallbackHandler - the only reason we could not - // use that Hadoop class as-is was because it needs a Server.Connection object - // which is relevant in hadoop rpc but not here in the metastore - so the + // SaslRpcServer.SaslDigestCallbackHandler - + // it needs a Server.Connection object which is relevant in + // hadoop rpc but not here in the metastore - so the // code below does not deal with the Connection Server.object. + // It also no longer checks if the authid and authzid are equal + // in realm static class SaslDigestCallbackHandler implements CallbackHandler { private final DelegationTokenSecretManager secretManager; @@ -454,6 +456,7 @@ public SaslDigestCallbackHandler( private char[] encodePassword(byte[] password) { return new String(Base64.encodeBase64(password)).toCharArray(); } + /** {@inheritDoc} */ @Override @@ -490,20 +493,10 @@ public void handle(Callback[] callbacks) throws InvalidToken, if (ac != null) { String authid = ac.getAuthenticationID(); String authzid = ac.getAuthorizationID(); - if (authid.equals(authzid)) { - ac.setAuthorized(true); - } else { - ac.setAuthorized(false); - } - if (ac.isAuthorized()) { - if (LOG.isDebugEnabled()) { - String username = - SaslRpcServer.getIdentifier(authzid, secretManager).getUser().getUserName(); - LOG.debug("SASL server DIGEST-MD5 callback: setting " - + "canonicalized client ID: " + username); - } - ac.setAuthorizedID(authzid); - } + LOG.debug("Successfully authenticated client: authenticationID=" + authid + + "; authorizationID=" + authzid + "."); + ac.setAuthorized(true); + ac.setAuthorizedID(authzid); } } }