diff --git a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index 01f9fdf0d1..4849aecba6 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.hive.ql.session; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; import static org.apache.hadoop.hive.metastore.Warehouse.DEFAULT_DATABASE_NAME; import java.io.Closeable; @@ -930,15 +931,26 @@ private void setupAuth() { HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER); authenticator.setSessionState(this); - HiveConf pluginConf = sessionConf; - String pluginAuthN = HiveConf.getVar(sessionConf, + String pluginAuthMethod = HiveConf.getVar(sessionConf, HiveConf.ConfVars.HIVE_SECURITY_AUTHORIZATION_PLUGIN_AUTHENTICATION); - if (pluginAuthN.equalsIgnoreCase("kerberos")) { - pluginConf = new HiveConf(sessionConf); - pluginConf.set("hadoop.security.authentication", "kerberos"); + + UserGroupInformation ugi; + try { + ugi = UserGroupInformation.getLoginUser(); + } catch (IOException e) { + throw new IllegalStateException("Unable to get current login user: " + e, e); + } + if (loginUserHasCurrentAuthMethod(ugi, pluginAuthMethod)) { + LOG.debug("Not setting UGI conf as passed-in authMethod of " + pluginAuthMethod + " = current."); + } else { + LOG.debug("Setting UGI conf as passed-in authMethod of " + pluginAuthMethod + " != current."); + Configuration conf = new Configuration(); + conf.set(HADOOP_SECURITY_AUTHENTICATION, pluginAuthMethod); + UserGroupInformation.setConfiguration(conf); } + String clsStr = HiveConf.getVar(sessionConf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER); - authorizer = HiveUtils.getAuthorizeProviderManager(pluginConf, + authorizer = HiveUtils.getAuthorizeProviderManager(sessionConf, clsStr, authenticator, true); if (authorizer == null) { @@ -953,7 +965,7 @@ private void setupAuth() { authzContextBuilder.setSessionString(getSessionId()); authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(), - pluginConf, authenticator, authzContextBuilder.build()); + sessionConf, authenticator, authzContextBuilder.build()); setAuthorizerV2Config(); } @@ -969,7 +981,18 @@ private void setupAuth() { Object authorizationClass = getActiveAuthorizer(); LOG.debug("Session is using authorization class " + authorizationClass.getClass()); } - return; + } + + private boolean loginUserHasCurrentAuthMethod(UserGroupInformation ugi, String sAuthMethod) { + UserGroupInformation.AuthenticationMethod authMethod; + try { + authMethod = Enum.valueOf(UserGroupInformation.AuthenticationMethod.class, sAuthMethod.toUpperCase()); + } catch (IllegalArgumentException iae) { + throw new IllegalArgumentException("Invalid attribute value for " + + HADOOP_SECURITY_AUTHENTICATION + " of " + sAuthMethod, iae); + } + LOG.debug("Current authMethod = " + ugi.getAuthenticationMethod()); + return ugi.getAuthenticationMethod().equals(authMethod); } private void setAuthorizerV2Config() throws HiveException {