diff --git a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java index ba1f1774d3..e8f2563f07 100644 --- a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java +++ b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java @@ -20,7 +20,6 @@ import java.io.IOException; import java.util.ArrayList; -import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -63,7 +62,7 @@ private volatile CuratorFramework zkSession; private String zkConnectString; private int connectTimeoutMillis; - private List newNodeAcl = Arrays.asList(new ACL(Perms.ALL, Ids.AUTH_IDS)); + private List newNodeAcl; /** * ACLProvider permissions will be used in case parent dirs need to be created @@ -81,6 +80,30 @@ } }; + /** + * Default ACLs for CuratorFrameworkFactory. + */ + private List getDefaultAcl(Configuration conf) { + List nodeAcls = new ArrayList<>(); + if (isZkSecurityEnabled(conf)) { + nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS)); + } else { + nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE); + } + return nodeAcls; + } + + /** + * Check if ZooKeeper is configured with Kerberos authentication. + */ + private boolean isZkSecurityEnabled(Configuration conf) { + try { + return UserGroupInformation.getLoginUser().isFromKeytab() && !AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( + getNonEmptyConfVar(conf, "hive.security.zookeeper.authentication")); + } catch (IOException e) { + return false; + } + } private final String WHEN_ZK_DSTORE_MSG = "when zookeeper based delegation token storage is enabled" + "(hive.cluster.delegation.token.store.class=" + ZooKeeperTokenStore.class.getName() + ")"; @@ -112,8 +135,7 @@ private CuratorFramework getSession() { } private void setupJAASConfig(Configuration conf) throws IOException { - if (!UserGroupInformation.getLoginUser().isFromKeytab() || AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( - getNonEmptyConfVar(conf, "hive.security.zookeeper.authentication"))) { + if (!isZkSecurityEnabled(conf)) { // The process has not logged in using keytab // this should be a test mode, can't use keytab to authenticate // with zookeeper. @@ -455,10 +477,10 @@ public void init(Object hmsHandler, HadoopThriftAuthBridge.Server.ServerMode sMo conf.getInt( MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_CONNECT_TIMEOUTMILLIS, CuratorFrameworkFactory.builder().getConnectionTimeoutMs()); + String aclStr = conf.get(MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ACL, null); - if (StringUtils.isNotBlank(aclStr)) { - this.newNodeAcl = parseACLs(aclStr); - } + this.newNodeAcl = StringUtils.isNotBlank(aclStr)? parseACLs(aclStr) : getDefaultAcl(conf); + rootNode = conf.get(MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ZNODE, MetastoreDelegationTokenManager.DELEGATION_TOKEN_STORE_ZK_ZNODE_DEFAULT) + serverMode;