Skip to content

Commit

Permalink
Merge pull request apache#40 from mapr/mapr-20263
Browse files Browse the repository at this point in the history 
MAPR-20263: Hivemetastore incorrectly determined auth method in case of hive-job was created by other components
  • Loading branch information
@ssvinarchuk
ssvinarchuk committed Dec 2, 2015
2 parents 19f8a35 + 7646ece commit 852f8f8
Showing 1 changed file with 49 additions and 58 deletions.
107 changes: 49 additions & 58 deletions shims/0.23/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge25Sasl.java
View file
Expand Up @@ -22,6 +22,7 @@
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Locale;

import javax.security.sasl.SaslException;

Expand Down Expand Up @@ -147,83 +148,73 @@ public TTransport createClientTransport(
String tokenStrForm, TTransport underlyingTransport,
Map<String, String> saslProps) throws IOException {

UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
UserGroupInformation.AuthenticationMethod authenticationMethod = ugi.getAuthenticationMethod();
TTransport saslTransport = null;

LOG.info("Sasl client AuthenticationMethod: " + authenticationMethod.toString());
if (authenticationMethod.equals(AuthenticationMethod.PROXY)) {
if (methodStr != null) {
AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr);
if (method == AuthMethod.DIGEST) {
Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
saslTransport = new TSaslClientTransport(
method.getMechanismName(),
null,
null, SaslRpcServer.SASL_DEFAULT_REALM,
saslProps, new SaslClientCallbackHandler(t),
underlyingTransport);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
}
}
throw new IOException("Unsupported authentication method: PROXY-" + methodStr);
}

RpcAuthMethod rpcAuthMethod = RpcAuthRegistry.getAuthMethod(ugi.getAuthenticationMethod());

if (rpcAuthMethod == null) {
throw new IOException("Unsupported authentication method: " + ugi.getAuthenticationMethod());
}

if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.TOKEN)) {
Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
saslTransport = new TSaslClientTransport(
rpcAuthMethod.getMechanismName(),
null,
if (methodStr.equals("DIGEST")) {
LOG.info("User authentication with method DIGEST: " + methodStr);
AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr);
if (method == AuthMethod.DIGEST) {
Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
saslTransport = new TSaslClientTransport(
method.getMechanismName(),
null,
SaslRpcServer.SASL_DEFAULT_REALM,
saslProps,
new SaslClientCallbackHandler(t),
null, SaslRpcServer.SASL_DEFAULT_REALM,
saslProps, new SaslClientCallbackHandler(t),
underlyingTransport);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
}
else if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
String serverPrincipal = SecurityUtil.getServerPrincipal(principalConfig, host);
String names[] = SaslRpcServer.splitKerberosName(serverPrincipal);
if (names.length != 3) {
throw new IOException(
"Kerberos principal name does NOT have the expected hostname part: "
+ serverPrincipal);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
}
try {
saslTransport = new TSaslClientTransport(
} else {
Configuration conf = new Configuration();
conf.addDefaultResource("hive-site.xml");
// if uses SASL, authType must be only KERBEROS or MapRSasl
// by default uses MapRSasl
String authTypeStr = conf.get("hive.server2.authentication");
if (authTypeStr == null || authTypeStr.equalsIgnoreCase("MAPRSASL")) {
authTypeStr = "CUSTOM";
}
LOG.info("User authentication with method: " + authTypeStr);
RpcAuthMethod rpcAuthMethod = RpcAuthRegistry.getAuthMethod(
AuthenticationMethod.valueOf(AuthenticationMethod.class, authTypeStr.toUpperCase(Locale.ENGLISH)));
if (rpcAuthMethod == null) {
throw new IOException("Unsupported authentication method: " + authTypeStr);
}
if ("KERBEROS".equalsIgnoreCase(authTypeStr)) {
String serverPrincipal = SecurityUtil.getServerPrincipal(principalConfig, host);
String names[] = SaslRpcServer.splitKerberosName(serverPrincipal);
if (names.length != 3) {
throw new IOException(
"Kerberos principal name does NOT have the expected hostname part: "
+ serverPrincipal);
}
try {
saslTransport = new TSaslClientTransport(
rpcAuthMethod.getMechanismName(),
null,
names[0], names[1],
saslProps,
null,
underlyingTransport);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
} catch (SaslException se) {
throw new IOException("Could not instantiate SASL transport", se);
}
} else {
try {
saslTransport = new TSaslClientTransport(
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
} catch (SaslException se) {
throw new IOException("Could not instantiate SASL transport", se);
}
} else { //If it's not KERBEROS, it can be only MapRSasl
try {
saslTransport = new TSaslClientTransport(
rpcAuthMethod.getMechanismName(),
null,
null,
SaslRpcServer.SASL_DEFAULT_REALM,
saslProps,
null,
underlyingTransport);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
} catch (SaslException se) {
throw new IOException("Could not instantiate SASL transport", se);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
} catch (SaslException se) {
throw new IOException("Could not instantiate SASL transport", se);
}
}
}
throw new IOException("Unsupported authentication method: " + methodStr);
}

}
Expand Down

0 comments on commit 852f8f8

Please sign in to comment.