diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 5a39006d8a..9f7abae478 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -3595,6 +3595,8 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal "Deprecated: Secure attribute of the HS2 generated cookie (this is automatically enabled for SSL enabled HiveServer2)."), HIVE_SERVER2_THRIFT_HTTP_COOKIE_IS_HTTPONLY("hive.server2.thrift.http.cookie.is.httponly", true, "HttpOnly attribute of the HS2 generated cookie."), + HIVE_SERVER2_THRIFT_HTTP_ALLOW_OPTIONS_METHOD("hive.server2.thrift.http.allow.options.method", false, + "Whether to allow options http method for thrift server"), // binary transport settings HIVE_SERVER2_THRIFT_PORT("hive.server2.thrift.port", 10000, diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index 665266896f..60128d81c3 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -45,6 +45,8 @@ import org.apache.thrift.server.TServlet; import org.eclipse.jetty.io.Connection; import org.eclipse.jetty.io.EndPoint; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConnectionFactory; @@ -53,6 +55,7 @@ import org.eclipse.jetty.server.handler.gzip.GzipHandler; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; +import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.ExecutorThreadPool; @@ -192,6 +195,8 @@ public void onClosed(Connection connection) { server.setHandler(context); } context.addServlet(new ServletHolder(thriftHttpServlet), httpPath); + constrainHttpMethods(context, HiveConf.getBoolVar(hiveConf, + ConfVars.HIVE_SERVER2_THRIFT_HTTP_ALLOW_OPTIONS_METHOD)); // TODO: check defaults: maxTimeout, keepalive, maxBodySize, // bodyRecieveDuration, etc. @@ -269,6 +274,28 @@ private String getHttpPath(String httpPath) { return httpPath; } + public void constrainHttpMethods(ServletContextHandler ctxHandler, boolean allowOptionsMethod) { + Constraint c = new Constraint(); + c.setAuthenticate(true); + + ConstraintMapping cmt = new ConstraintMapping(); + cmt.setConstraint(c); + cmt.setMethod("TRACE"); + cmt.setPathSpec("/*"); + + ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler(); + if (!allowOptionsMethod) { + ConstraintMapping cmo = new ConstraintMapping(); + cmo.setConstraint(c); + cmo.setMethod("OPTIONS"); + cmo.setPathSpec("/*"); + securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt, cmo}); + } else { + securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt}); + } + ctxHandler.setSecurityHandler(securityHandler); + } + @Override protected void stopServer() { if((server != null) && server.isStarted()) {