diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index de28e9213f..2b342830fd 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -2583,10 +2583,8 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal "read MM tables with original files will fail. The default in Hive 3.0 is false."), // Zookeeper related configs - HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION("hive.security.zookeeper.authentication", - "DEFAULT", new StringSet("DEFAULT", "SIMPLE"), - "Whether the authentication type for Zookeeper is different from the cluster wide\n" + - "`hadoop.security.authentication` configuration. This could be useful when cluster\n" + + HIVE_ZOOKEEPER_USE_KERBEROS("hive.zookeeper.kerberos.enabled", true, + "If ZooKeeper is configured for Kerberos authentication. This could be useful when cluster\n" + "is kerberized, but Zookeeper is not."), HIVE_ZOOKEEPER_QUORUM("hive.zookeeper.quorum", "", @@ -4212,6 +4210,9 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal "hive.llap.queue.metrics.percentiles.intervals"), LLAP_IO_THREADPOOL_SIZE("hive.llap.io.threadpool.size", 10, "Specify the number of threads to use for low-level IO thread pool."), + LLAP_USE_KERBEROS("hive.llap.kerberos.enabled", true, + "If LLAP is configured for Kerberos authentication. This could be useful when cluster\n" + + "is kerberized, but LLAP is not."), LLAP_KERBEROS_PRINCIPAL(HIVE_LLAP_DAEMON_SERVICE_PRINCIPAL_NAME, "", "The name of the LLAP daemon's service principal."), LLAP_KERBEROS_KEYTAB_FILE("hive.llap.daemon.keytab.file", "", diff --git a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java index 7a4274e1e0..2ac0fbedbd 100644 --- a/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java +++ b/llap-client/src/java/org/apache/hadoop/hive/registry/impl/ZookeeperUtils.java @@ -14,7 +14,6 @@ package org.apache.hadoop.hive.registry.impl; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -55,12 +54,12 @@ public static String setupZookeeperAuth(Configuration conf, String saslLoginCont } /** - * Check if Kerberos is enabled. + * Check if Kerberos authentication is enabled. */ public static boolean isKerberosEnabled(Configuration conf) { try { - return UserGroupInformation.getLoginUser().isFromKeytab() && !AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( - HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION)); + return UserGroupInformation.getLoginUser().isFromKeytab() && + HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_ZOOKEEPER_USE_KERBEROS); } catch (IOException e) { return false; } diff --git a/llap-client/src/test/org/apache/hadoop/hive/registry/impl/TestZookeeperUtils.java b/llap-client/src/test/org/apache/hadoop/hive/registry/impl/TestZookeeperUtils.java index c4862747ac..863442abeb 100644 --- a/llap-client/src/test/org/apache/hadoop/hive/registry/impl/TestZookeeperUtils.java +++ b/llap-client/src/test/org/apache/hadoop/hive/registry/impl/TestZookeeperUtils.java @@ -21,7 +21,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; + import org.junit.Assert; import org.junit.Before; import org.junit.Test; @@ -43,24 +43,23 @@ public void setup() { } @Test - public void testHadoopKerberosZookeeperDefault() { + public void testHadoopAuthKerberosAndZookeeperUseKerberos() { Mockito.when(ugi.isFromKeytab()).thenReturn(true); + Assert.assertTrue(HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_ZOOKEEPER_USE_KERBEROS)); Assert.assertTrue(ZookeeperUtils.isKerberosEnabled(conf)); } @Test - public void testHadoopKerberosZookeeperSimple(){ + public void testHadoopAuthKerberosAndZookeeperNoKerberos(){ Mockito.when(ugi.isFromKeytab()).thenReturn(true); - conf.set(HiveConf.ConfVars.HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION.varname, - AuthenticationMethod.SIMPLE.name()); + conf.setBoolean(HiveConf.ConfVars.HIVE_ZOOKEEPER_USE_KERBEROS.varname, false); Assert.assertFalse(ZookeeperUtils.isKerberosEnabled(conf)); } @Test - public void testHadoopSimpleZookeeperDefault(){ + public void testHadoopAuthSimpleAndZookeeperKerberos(){ Mockito.when(ugi.isFromKeytab()).thenReturn(false); - conf.set(HiveConf.ConfVars.HIVE_SECURITY_ZOOKEEPER_AUTHENTICATION.varname, - AuthenticationMethod.SIMPLE.name()); + conf.setBoolean(HiveConf.ConfVars.HIVE_ZOOKEEPER_USE_KERBEROS.varname, false); Assert.assertFalse(ZookeeperUtils.isKerberosEnabled(conf)); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java index e2db0c7274..baef0feacd 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezSessionState.java @@ -321,7 +321,7 @@ protected void openInternal(String[] additionalFilesNotFromConf, Credentials llapCredentials = null; if (llapMode) { - if (UserGroupInformation.isSecurityEnabled()) { + if (isKerberosEnabled(tezConfig)) { llapCredentials = new Credentials(); llapCredentials.addToken(LlapTokenIdentifier.KIND_NAME, getLlapToken(user, tezConfig)); } @@ -392,6 +392,10 @@ public TezClient call() throws Exception { } } + private boolean isKerberosEnabled(Configuration conf) { + return UserGroupInformation.isSecurityEnabled() && HiveConf.getBoolVar(conf, ConfVars.LLAP_USE_KERBEROS); + } + private static Token getLlapToken( String user, final Configuration conf) throws IOException { // TODO: parts of this should be moved out of TezSession to reuse the clients, but there's diff --git a/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java b/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java index 1d5a771898..fd93db2ecb 100644 --- a/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java +++ b/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java @@ -949,6 +949,10 @@ public static ConfVars getMetaConf(String name) { "", "Specifies which dynamic service discovery method to use. Currently we support only " + "\"zookeeper\" to specify ZooKeeper based service discovery."), + THRIFT_ZOOKEEPER_USE_KERBEROS("metastore.zookeeper.kerberos.enabled", + "hive.metastore.zookeeper.kerberos.enabled", true, + "If ZooKeeper is configured for Kerberos authentication. This could be useful when cluster\n" + + "is kerberized, but Zookeeper is not."), THRIFT_ZOOKEEPER_CLIENT_PORT("metastore.zookeeper.client.port", "hive.metastore.zookeeper.client.port", "2181", "The port of ZooKeeper servers to talk to.\n" + diff --git a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java index e8f2563f07..b0069da177 100644 --- a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java +++ b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/ZooKeeperTokenStore.java @@ -31,9 +31,10 @@ import org.apache.curator.framework.imps.CuratorFrameworkState; import org.apache.curator.retry.ExponentialBackoffRetry; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.metastore.utils.SecurityUtils; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; + import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation; import org.apache.hadoop.security.token.delegation.MetastoreDelegationTokenSupport; import org.apache.zookeeper.CreateMode; @@ -85,7 +86,7 @@ */ private List getDefaultAcl(Configuration conf) { List nodeAcls = new ArrayList<>(); - if (isZkSecurityEnabled(conf)) { + if (isKerberosEnabled(conf)) { nodeAcls.add(new ACL(Perms.ALL, Ids.AUTH_IDS)); } else { nodeAcls.addAll(Ids.OPEN_ACL_UNSAFE); @@ -93,13 +94,10 @@ return nodeAcls; } - /** - * Check if ZooKeeper is configured with Kerberos authentication. - */ - private boolean isZkSecurityEnabled(Configuration conf) { + private boolean isKerberosEnabled(Configuration conf) { try { - return UserGroupInformation.getLoginUser().isFromKeytab() && !AuthenticationMethod.SIMPLE.name().equalsIgnoreCase( - getNonEmptyConfVar(conf, "hive.security.zookeeper.authentication")); + return UserGroupInformation.getLoginUser().isFromKeytab() && + MetastoreConf.getBoolVar(conf, MetastoreConf.ConfVars.THRIFT_ZOOKEEPER_USE_KERBEROS); } catch (IOException e) { return false; } @@ -135,7 +133,7 @@ private CuratorFramework getSession() { } private void setupJAASConfig(Configuration conf) throws IOException { - if (!isZkSecurityEnabled(conf)) { + if (!isKerberosEnabled(conf)) { // The process has not logged in using keytab // this should be a test mode, can't use keytab to authenticate // with zookeeper.