diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 97cffff256..ff3b0263bb 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -2582,7 +2582,13 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal "this is set to false, however unless MAPREDUCE-7086 fix is present, queries that\n" + "read MM tables with original files will fail. The default in Hive 3.0 is false."), - // Zookeeper related configs + // Zookeeper related configs + HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION("hive.security.zookeeper.authentication", + "default", new StringSet("default", "simple"), + "Whether authentication type configured for Zookeeper is different from the default cluster wide\n" + + "set under `hadoop.security.authentication`. This could be useful in case when cluster\n" + + "is kerberized, but Zookeeper is not."), + HIVE_ZOOKEEPER_QUORUM("hive.zookeeper.quorum", "", "List of ZooKeeper servers to talk to. This is needed for: \n" + "1. Read/write locks - when hive.lock.manager is set to \n" + diff --git a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZkRegistryBase.java b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZkRegistryBase.java index e56ae114fe..85d0e0a862 100644 --- a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZkRegistryBase.java +++ b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZkRegistryBase.java @@ -119,6 +119,8 @@ /** Local hostname. */ protected static final String hostname = RegistryUtilities.getCanonicalHostName(); + private final boolean isSecurityEnabled; + /** * @param rootNs A single root namespace override. Not recommended. * @param nsPrefix The namespace prefix to use with default namespaces (appends 'sasl' for secure else 'unsecure' @@ -160,7 +162,11 @@ public ZkRegistryBase(String instanceName, Configuration conf, String rootNs, St this.stateChangeListeners = new HashSet<>(); this.pathToInstanceCache = new ConcurrentHashMap<>(); this.nodeToInstanceCache = new ConcurrentHashMap<>(); - final String namespace = getRootNamespace(rootNs, nsPrefix); + + isSecurityEnabled = !UserGroupInformation.AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + conf.get("hive.security.zookeeper.authentication", "default")); + final String namespace = getRootNamespace(isSecurityEnabled, rootNs, nsPrefix); + ACLProvider aclProvider; // get acl provider for most outer path that is non-null if (userPathPrefix == null) { @@ -180,8 +186,8 @@ public ZkRegistryBase(String instanceName, Configuration conf, String rootNs, St this.zooKeeperClient.getConnectionStateListenable().addListener(new ZkConnectionStateListener()); } - public static String getRootNamespace(String userProvidedNamespace, String defaultNamespacePrefix) { - final boolean isSecure = UserGroupInformation.isSecurityEnabled(); + public static String getRootNamespace(boolean isSecurityEnabled, String userProvidedNamespace, String defaultNamespacePrefix) { + final boolean isSecure = UserGroupInformation.isSecurityEnabled() && isSecurityEnabled; String rootNs = userProvidedNamespace; if (rootNs == null) { rootNs = defaultNamespacePrefix + (isSecure ? SASL_NAMESPACE : UNSECURE_NAMESPACE); @@ -190,7 +196,7 @@ public static String getRootNamespace(String userProvidedNamespace, String defau } private ACLProvider getACLProviderForZKPath(String zkPath) { - final boolean isSecure = UserGroupInformation.isSecurityEnabled(); + final boolean isSecure = UserGroupInformation.isSecurityEnabled() && isSecurityEnabled; return new ACLProvider() { @Override public List getDefaultAcl() { @@ -366,7 +372,7 @@ final void initializeWithoutRegisteringInternal() throws IOException { } private void checkAndSetAcls() throws Exception { - if (!UserGroupInformation.isSecurityEnabled()) return; + if (!UserGroupInformation.isSecurityEnabled() || !isSecurityEnabled) return; // We are trying to check ACLs on the "workers" directory, which noone except us should be // able to write to. Higher-level directories shouldn't matter - we don't read them. String pathToCheck = workersPath; diff --git a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java index 454d503454..bd30d8fa08 100644 --- a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java +++ b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java @@ -32,7 +32,11 @@ public static String setupZookeeperAuth(Configuration conf, String saslLoginContextName, String zkPrincipal, String zkKeytab) throws IOException { // If the login context name is not set, we are in the client and don't need auth. - if (UserGroupInformation.isSecurityEnabled() && saslLoginContextName != null) { + if (UserGroupInformation.isSecurityEnabled() + && !UserGroupInformation.AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + conf.get("hive.security.zookeeper.authentication", "default")) + && saslLoginContextName != null) { + LOG.info("UGI security is enabled. Setting up ZK auth."); if (zkPrincipal == null || zkPrincipal.isEmpty()) { diff --git a/service/src/java/org/apache/hive/service/server/HS2ActivePassiveHARegistryClient.java b/service/src/java/org/apache/hive/service/server/HS2ActivePassiveHARegistryClient.java index f87b610ee2..6dd01326b5 100644 --- a/service/src/java/org/apache/hive/service/server/HS2ActivePassiveHARegistryClient.java +++ b/service/src/java/org/apache/hive/service/server/HS2ActivePassiveHARegistryClient.java @@ -20,6 +20,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.registry.impl.ZkRegistryBase; +import org.apache.hadoop.security.UserGroupInformation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -40,7 +41,11 @@ public static synchronized HS2ActivePassiveHARegistry getClient(Configuration co String namespace = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_SERVER2_ACTIVE_PASSIVE_HA_REGISTRY_NAMESPACE); Preconditions.checkArgument(!StringUtils.isBlank(namespace), HiveConf.ConfVars.HIVE_SERVER2_ACTIVE_PASSIVE_HA_REGISTRY_NAMESPACE.varname + " cannot be null or empty"); - String nsKey = ZkRegistryBase.getRootNamespace(null, namespace + "-"); + + boolean isSecurityEnabled = !UserGroupInformation.AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + conf.get("hive.security.zookeeper.authentication", "default")); + String nsKey = ZkRegistryBase.getRootNamespace(isSecurityEnabled, null, namespace + "-"); + HS2ActivePassiveHARegistry registry = hs2Registries.get(nsKey); if (registry == null) { registry = HS2ActivePassiveHARegistry.create(conf, true); diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index 5d81668441..731af3cff7 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -89,6 +89,7 @@ import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.hive.shims.Utils; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hive.common.util.HiveStringUtils; import org.apache.hive.common.util.HiveVersionInfo; import org.apache.hive.common.util.ShutdownHookManager; @@ -279,6 +280,9 @@ public void run() { wmQueue = hiveConf.get(ConfVars.HIVE_SERVER2_TEZ_INTERACTIVE_QUEUE.varname, "").trim(); + zooKeeperAclProvider = getAclProvider(!AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + hiveConf.getVar(ConfVars.HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION))); + this.serviceDiscovery = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_SUPPORT_DYNAMIC_SERVICE_DISCOVERY); this.activePassiveHA = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_ACTIVE_PASSIVE_HA_ENABLE); @@ -453,29 +457,33 @@ public static boolean isKerberosAuthMode(Configuration hiveConf) { /** * ACLProvider for providing appropriate ACLs to CuratorFrameworkFactory */ - private final ACLProvider zooKeeperAclProvider = new ACLProvider() { + private ACLProvider zooKeeperAclProvider; - @Override - public List getDefaultAcl() { - List nodeAcls = new ArrayList(); - if (UserGroupInformation.isSecurityEnabled()) { - // Read all to the world - nodeAcls.addAll(Ids.READ_ACL_UNSAFE); - // Create/Delete/Write/Admin to the authenticated user - nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS)); - } else { - // ACLs for znodes on a non-kerberized cluster - // Create/Read/Delete/Write/Admin to the world - nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE); + private ACLProvider getAclProvider(boolean isSecurityEnabled) { + return new ACLProvider() { + + @Override + public List getDefaultAcl() { + List nodeAcls = new ArrayList(); + if (UserGroupInformation.isSecurityEnabled() && isSecurityEnabled) { + // Read all to the world + nodeAcls.addAll(Ids.READ_ACL_UNSAFE); + // Create/Delete/Write/Admin to the authenticated user + nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS)); + } else { + // ACLs for znodes on a non-kerberized cluster + // Create/Read/Delete/Write/Admin to the world + nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE); + } + return nodeAcls; } - return nodeAcls; - } - @Override - public List getAclForPath(String path) { - return getDefaultAcl(); - } - }; + @Override + public List getAclForPath(String path) { + return getDefaultAcl(); + } + }; + } /** * Add conf keys, values that HiveServer2 will publish to ZooKeeper. @@ -522,7 +530,9 @@ private void addConfsToPublish(HiveConf hiveConf, Map confsToPub * @throws Exception */ private void setUpZooKeeperAuth(HiveConf hiveConf) throws Exception { - if (UserGroupInformation.isSecurityEnabled()) { + if (UserGroupInformation.isSecurityEnabled() && !AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + hiveConf.getVar(ConfVars.HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION))) { + String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL); if (principal.isEmpty()) { throw new IOException("HiveServer2 Kerberos principal is empty");