commit 0c5439eb3a7e319763d2de52f6bc56f26275d14e Author: Vihang Karajgaonkar Date: Fri Sep 29 17:38:38 2017 -0700 HIVE-17659 : get_token thrift call fails for DBTokenStore in remote HMS mode diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java index fc1dc493d7fe4512a6fdf9d4ddb41512697e63f9..014d64f2a4360bef229397a59dff510faf05f4ed 100644 --- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java @@ -23,6 +23,11 @@ import org.apache.hive.jdbc.miniHS2.MiniHS2; import org.junit.BeforeClass; +/** + * Runs the tests defined in TestJdbcWithMiniKdc when DBTokenStore + * is configured in a remote secure HMS mode and impersonation + * is turned on + */ public class TestJdbcWithDBTokenStore extends TestJdbcWithMiniKdc{ @BeforeClass diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java new file mode 100644 index 0000000000000000000000000000000000000000..5e1f86d53e4d296b70fbfcde0e6d364d1b6b1f25 --- /dev/null +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java @@ -0,0 +1,49 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hive.minikdc; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hive.jdbc.miniHS2.MiniHS2; +import org.junit.BeforeClass; + +/** + * Runs the tests defined in TestJdbcWithMiniKdc when DBTokenStore + * is configured and HMS is setup in a remote secure mode and + * impersonation is turned OFF + */ +public class TestJdbcWithDBTokenStoreNoDoAs extends TestJdbcWithMiniKdc{ + + @BeforeClass + public static void beforeTest() throws Exception { + Class.forName(MiniHS2.getJdbcDriverName()); + confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname, + SessionHookTest.class.getName()); + + HiveConf hiveConf = new HiveConf(); + hiveConf.setVar(ConfVars.METASTORE_CLUSTER_DELEGATION_TOKEN_STORE_CLS, "org.apache.hadoop.hive.thrift.DBTokenStore"); + miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf); + miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMSWithKerb(miniHiveKdc, hiveConf); + miniHS2.start(confOverlay); + String metastorePrincipal = miniHS2.getConfProperty(ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname); + String hs2Principal = miniHS2.getConfProperty(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL.varname); + String hs2KeyTab = miniHS2.getConfProperty(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB.varname); + System.out.println("HS2 principal : " + hs2Principal + " HS2 keytab : " + hs2KeyTab + " Metastore principal : " + metastorePrincipal); + } +} \ No newline at end of file diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java index daf0f7e6ff199760ecbb6fe16c189b3efed5a64a..b92e1a7b838b0921318f2e8973e5b3505ebc9517 100644 --- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java +++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java @@ -173,6 +173,31 @@ public void testTokenAuth() throws Exception { verifyProperty(SESSION_USER_NAME, MiniHiveKdc.HIVE_TEST_USER_1); } + @Test + public void testCancelRenewTokenFlow() throws Exception { + miniHiveKdc.loginUser(MiniHiveKdc.HIVE_TEST_SUPER_USER); + hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL()); + + // retrieve token and store in the cache + String token = ((HiveConnection) hs2Conn) + .getDelegationToken(MiniHiveKdc.HIVE_TEST_USER_1, MiniHiveKdc.HIVE_SERVICE_PRINCIPAL); + assertTrue(token != null && !token.isEmpty()); + + Exception ex = null; + ((HiveConnection) hs2Conn).cancelDelegationToken(token); + try { + ((HiveConnection) hs2Conn).renewDelegationToken(token); + } catch (Exception SQLException) { + ex = SQLException; + } + assertTrue(ex != null && ex instanceof HiveSQLException); + // retrieve token and store in the cache + token = ((HiveConnection) hs2Conn) + .getDelegationToken(MiniHiveKdc.HIVE_TEST_USER_1, MiniHiveKdc.HIVE_SERVICE_PRINCIPAL); + assertTrue(token != null && !token.isEmpty()); + + hs2Conn.close(); + } /*** * Negative test for token based authentication * Verify that a user can't retrieve a token for user that diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 4d689480e125d652258e571de828ff0d373f7c69..c6465286b286d4db948c173b0c43b72c26868a3e 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -5917,7 +5917,8 @@ public String get_token(String token_identifier) throws TException { } finally { endFunction("get_token", ret != null, ex); } - return ret; + //Thrift cannot return null result + return ret == null ? "" : ret; } @Override diff --git a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java index 326ef4e99ca6ab7540508b258cc306d00e26758c..051cadb262349cc275aedf7e9397f8684fb94edc 100644 --- a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java +++ b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java @@ -24,6 +24,7 @@ import java.util.List; import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.Server.ServerMode; import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation; @@ -89,7 +90,7 @@ public DelegationTokenInformation getToken(DelegationTokenIdentifier tokenIdenti String tokenStr = (String)invokeOnTokenStore("getToken", new Object[] { TokenStoreDelegationTokenSecretManager.encodeWritable(tokenIdentifier)}, String.class); DelegationTokenInformation result = null; - if (tokenStr != null) { + if (StringUtils.isNotEmpty(tokenStr)) { result = HiveDelegationTokenSupport.decodeDelegationTokenInformation(Base64.decodeBase64(tokenStr)); } if (LOG.isTraceEnabled()) {