diff --git a/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java b/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java index 8b2be9d2f5..623b1f78e2 100644 --- a/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java +++ b/service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java @@ -24,6 +24,7 @@ import org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge; import org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge.Server; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hive.service.cli.thrift.ThriftCLIService; import org.apache.hive.service.rpc.thrift.TCLIService; import org.apache.hive.service.rpc.thrift.TCLIService.Iface; @@ -49,7 +50,7 @@ public static TTransport getKerberosTransport(String principal, String host, } if (assumeSubject) { - return createSubjectAssumedTransport(principal, underlyingTransport, saslProps); + return createSubjectAssumedTransport(principal, host, underlyingTransport, saslProps); } else { HadoopThriftAuthBridge.Client authBridge = HadoopThriftAuthBridge.getBridge().createClientWithConf("kerberos"); @@ -61,9 +62,23 @@ public static TTransport getKerberosTransport(String principal, String host, } } - public static TTransport createSubjectAssumedTransport(String principal, + /** + * Helper to wrap the {@code underlyingTransport} into an assumed kerberos principal. + * The function is used for kerberos based authentication, where {@code kerberosAuthType} + * is set to {@code fromSubject}. If also preforms a substitution of {@code _HOST} to the + * local host name, if required. + * + * @param principal The kerberos principal to assume + * @param host Host, used to replace the {@code _HOST} with + * @param underlyingTransport The I/O transport to wrap + * @param saslProps SASL property map + * @return The wrapped transport + * @throws IOException + */ + public static TTransport createSubjectAssumedTransport(String principal, String host, TTransport underlyingTransport, Map saslProps) throws IOException { - String[] names = principal.split("[/@]"); + String resolvedPrincipal = SecurityUtil.getServerPrincipal(principal, host); + String[] names = resolvedPrincipal.split("[/@]"); try { TTransport saslTransport = new TSaslClientTransport("GSSAPI", null, names[0], names[1], saslProps, null,