diff --git common/src/java/org/apache/hadoop/hive/conf/HiveConf.java common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index fce8db3df1..065942e290 100644 --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -3405,7 +3405,8 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal HIVE_LOG_TRACE_ID("hive.log.trace.id", "", "Log tracing id that can be used by upstream clients for tracking respective logs. " + "Truncated to " + LOG_PREFIX_LENGTH + " characters. Defaults to use auto-generated session id."), - + HIVE_ZK_ACL("hive.zk.acl","world:anyone:rwcda","acl for hiveserver2"), + HIVE_ZK_AUTH("hive.zk.auth","","auth info for hiveserver2"), HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager," + diff --git jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java index 8d6003ad06..b44cf258ea 100644 --- jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java +++ jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java @@ -28,6 +28,7 @@ import org.apache.curator.framework.CuratorFrameworkFactory; import org.apache.curator.retry.ExponentialBackoffRetry; import org.apache.hive.jdbc.Utils.JdbcConnectionParams; +import org.apache.hive.service.auth.ZkACLProvider; import org.apache.zookeeper.Watcher; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -56,8 +57,8 @@ static void configureConnParams(JdbcConnectionParams connParams) List serverHosts; Random randomizer = new Random(); String serverNode; - CuratorFramework zooKeeperClient = - CuratorFrameworkFactory.builder().connectString(zooKeeperEnsemble) + ZkACLProvider zookeeperAclBuilder = new ZkACLProvider().invoke(); + CuratorFramework zooKeeperClient = zookeeperAclBuilder.setzkAclBuilder(CuratorFrameworkFactory.builder()).connectString(zooKeeperEnsemble) .retryPolicy(new ExponentialBackoffRetry(1000, 3)).build(); try { zooKeeperClient.start(); diff --git service/src/java/org/apache/hive/service/auth/ZkACLProvider.java service/src/java/org/apache/hive/service/auth/ZkACLProvider.java new file mode 100644 index 0000000000..4da847a909 --- /dev/null +++ service/src/java/org/apache/hive/service/auth/ZkACLProvider.java @@ -0,0 +1,121 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hive.service.auth; + +import org.apache.curator.framework.CuratorFrameworkFactory; +import org.apache.curator.framework.api.ACLProvider; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.util.ZKUtil; +import org.apache.zookeeper.ZooDefs; +import org.apache.zookeeper.data.ACL; + +import java.util.Collections; +import java.util.List; + +public class ZkACLProvider { + private List zkAcls; + private List zkAuthInfo; + private boolean isNeedAcl = false; + + public CuratorFrameworkFactory.Builder setzkAclBuilder(CuratorFrameworkFactory.Builder builder) { + + CuratorFrameworkFactory.Builder tmpBuilder; + ACLProvider aclProvider; + if (isNeedAcl() == false) { + return builder; + } + + aclProvider = new ACLProvider() { + private List acl; + + @Override + public List getDefaultAcl() { + if (acl == null) { + this.acl = zkAcls; + } + return acl; + } + + @Override + public List getAclForPath(String path) { + return acl; + } + }; + + tmpBuilder = builder.aclProvider(aclProvider); + + + for (ZKUtil.ZKAuthInfo auth : zkAuthInfo) { + tmpBuilder = tmpBuilder.authorization(auth.getScheme(), auth.getAuth()); + } + return tmpBuilder; + } + + public ZkACLProvider invoke() { + try { + isNeedAcl = true; + zkAcls = getZKAcls(); + zkAuthInfo = getZKAuths(); + } catch (Exception e) { + isNeedAcl = false; + return this; + } + return this; + } + + public static List getZKAcls() throws Exception { + List nodeAcls; + HiveConf hiveConf = new HiveConf(); + String zkAclConf = hiveConf.getVar(HiveConf.ConfVars.HIVE_ZK_ACL); + try { + zkAclConf = ZKUtil.resolveConfIndirection(zkAclConf); + nodeAcls = ZKUtil.parseACLs(zkAclConf); + } catch (Exception e) { + throw e; + } + + if (UserGroupInformation.isSecurityEnabled()) { + // Read all to the world + nodeAcls.addAll(ZooDefs.Ids.READ_ACL_UNSAFE); + // Create/Delete/Write/Admin to the authenticated user + nodeAcls.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS)); + } + + return nodeAcls; + } + + public static List getZKAuths() throws Exception { + HiveConf hiveConf=new HiveConf(); + String zkAuthConf = hiveConf.getVar(HiveConf.ConfVars.HIVE_ZK_AUTH); + try { + zkAuthConf = ZKUtil.resolveConfIndirection(zkAuthConf); + if (zkAuthConf != null) { + return ZKUtil.parseAuth(zkAuthConf); + } else { + return Collections.emptyList(); + } + } catch (Exception e) { + throw e; + } + } + + public boolean isNeedAcl() { + return isNeedAcl; + } +} diff --git service/src/java/org/apache/hive/service/server/HiveServer2.java service/src/java/org/apache/hive/service/server/HiveServer2.java index e5f449122b..ec94ad4198 100644 --- service/src/java/org/apache/hive/service/server/HiveServer2.java +++ service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -73,6 +73,7 @@ import org.apache.hive.http.LlapServlet; import org.apache.hive.service.CompositeService; import org.apache.hive.service.ServiceException; +import org.apache.hive.service.auth.ZkACLProvider; import org.apache.hive.service.cli.CLIService; import org.apache.hive.service.cli.thrift.ThriftBinaryCLIService; import org.apache.hive.service.cli.thrift.ThriftCLIService; @@ -259,32 +260,6 @@ public static boolean isKerberosAuthMode(HiveConf hiveConf) { return false; } - /** - * ACLProvider for providing appropriate ACLs to CuratorFrameworkFactory - */ - private final ACLProvider zooKeeperAclProvider = new ACLProvider() { - - @Override - public List getDefaultAcl() { - List nodeAcls = new ArrayList(); - if (UserGroupInformation.isSecurityEnabled()) { - // Read all to the world - nodeAcls.addAll(Ids.READ_ACL_UNSAFE); - // Create/Delete/Write/Admin to the authenticated user - nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS)); - } else { - // ACLs for znodes on a non-kerberized cluster - // Create/Read/Delete/Write/Admin to the world - nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE); - } - return nodeAcls; - } - - @Override - public List getAclForPath(String path) { - return getDefaultAcl(); - } - }; /** * Adds a server instance to ZooKeeper as a znode. @@ -306,10 +281,9 @@ private void addServerInstanceToZooKeeper(HiveConf hiveConf) throws Exception { int maxRetries = hiveConf.getIntVar(HiveConf.ConfVars.HIVE_ZOOKEEPER_CONNECTION_MAX_RETRIES); // Create a CuratorFramework instance to be used as the ZooKeeper client // Use the zooKeeperAclProvider to create appropriate ACLs - zooKeeperClient = - CuratorFrameworkFactory.builder().connectString(zooKeeperEnsemble) - .sessionTimeoutMs(sessionTimeout).aclProvider(zooKeeperAclProvider) - .retryPolicy(new ExponentialBackoffRetry(baseSleepTime, maxRetries)).build(); + ZkACLProvider zookeeperAclBuilder = new ZkACLProvider().invoke(); + zooKeeperClient = zookeeperAclBuilder.setzkAclBuilder(CuratorFrameworkFactory.builder()).connectString(zooKeeperEnsemble). + sessionTimeoutMs(sessionTimeout).retryPolicy(new ExponentialBackoffRetry(baseSleepTime, maxRetries)).build(); zooKeeperClient.start(); // Create the parent znodes recursively; ignore if the parent already exists. try { @@ -660,9 +634,9 @@ static void deleteServerInstancesFromZooKeeper(String versionNumber) throws Exce String rootNamespace = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_ZOOKEEPER_NAMESPACE); int baseSleepTime = (int) hiveConf.getTimeVar(HiveConf.ConfVars.HIVE_ZOOKEEPER_CONNECTION_BASESLEEPTIME, TimeUnit.MILLISECONDS); int maxRetries = hiveConf.getIntVar(HiveConf.ConfVars.HIVE_ZOOKEEPER_CONNECTION_MAX_RETRIES); - CuratorFramework zooKeeperClient = - CuratorFrameworkFactory.builder().connectString(zooKeeperEnsemble) - .retryPolicy(new ExponentialBackoffRetry(baseSleepTime, maxRetries)).build(); + ZkACLProvider zookeeperAclBuilder = new ZkACLProvider().invoke(); + CuratorFramework zooKeeperClient = zookeeperAclBuilder.setzkAclBuilder(CuratorFrameworkFactory.builder()).connectString(zooKeeperEnsemble). + retryPolicy(new ExponentialBackoffRetry(baseSleepTime, maxRetries)).build(); zooKeeperClient.start(); List znodePaths = zooKeeperClient.getChildren().forPath(