From 7646ece468c949b93fdaa64aed88624d8a40eb48 Mon Sep 17 00:00:00 2001
From: ssvinarchuk <ssvinarchuk@cybervisiontech.com>
Date: Thu, 19 Nov 2015 13:24:12 +0200
Subject: [PATCH] MAPR-20263: Hivemetastore incorrectly determined auth method
 in case of hive-job was created by other components

MAPR-20263 Hivemetastore incorrectly determined auth method in case of hive-job was created by other components
---
 .../thrift/HadoopThriftAuthBridge25Sasl.java  | 107 ++++++++----------
 1 file changed, 49 insertions(+), 58 deletions(-)

diff --git a/shims/0.23/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge25Sasl.java b/shims/0.23/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge25Sasl.java
index adb1ac70f081..b94c0d6e68e3 100644
--- a/shims/0.23/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge25Sasl.java
+++ b/shims/0.23/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge25Sasl.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.Locale;
 
 import javax.security.sasl.SaslException;
 
@@ -147,71 +148,59 @@ public TTransport createClientTransport(
         String tokenStrForm, TTransport underlyingTransport,
         Map<String, String> saslProps) throws IOException {
 
-        UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
-        UserGroupInformation.AuthenticationMethod authenticationMethod = ugi.getAuthenticationMethod();
         TTransport saslTransport = null;
-
-        LOG.info("Sasl client AuthenticationMethod: " + authenticationMethod.toString());
-        if (authenticationMethod.equals(AuthenticationMethod.PROXY)) {
-          if (methodStr != null) {
-            AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr);
-            if (method == AuthMethod.DIGEST) {
-              Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
-              t.decodeFromUrlString(tokenStrForm);
-              saslTransport = new TSaslClientTransport(
-                  method.getMechanismName(),
-                  null,
-                  null, SaslRpcServer.SASL_DEFAULT_REALM,
-                  saslProps, new SaslClientCallbackHandler(t),
-                  underlyingTransport);
-              return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
-            }
-          }
-          throw new IOException("Unsupported authentication method: PROXY-" + methodStr);
-        }
-
-        RpcAuthMethod rpcAuthMethod = RpcAuthRegistry.getAuthMethod(ugi.getAuthenticationMethod());
-
-        if (rpcAuthMethod == null) {
-          throw new IOException("Unsupported authentication method: " + ugi.getAuthenticationMethod());
-        }
-
-        if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.TOKEN)) {
-          Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
-          t.decodeFromUrlString(tokenStrForm);
-          saslTransport = new TSaslClientTransport(
-              rpcAuthMethod.getMechanismName(),
-              null,
+        if (methodStr.equals("DIGEST")) {
+          LOG.info("User authentication with method DIGEST: " + methodStr);
+          AuthMethod method = AuthMethod.valueOf(AuthMethod.class, methodStr);
+          if (method == AuthMethod.DIGEST) {
+            Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
+            t.decodeFromUrlString(tokenStrForm);
+            saslTransport = new TSaslClientTransport(
+              method.getMechanismName(),
               null,
-              SaslRpcServer.SASL_DEFAULT_REALM,
-              saslProps,
-              new SaslClientCallbackHandler(t),
+              null, SaslRpcServer.SASL_DEFAULT_REALM,
+              saslProps, new SaslClientCallbackHandler(t),
               underlyingTransport);
-          return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
-        }
-        else if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
-          String serverPrincipal = SecurityUtil.getServerPrincipal(principalConfig, host);
-          String names[] = SaslRpcServer.splitKerberosName(serverPrincipal);
-          if (names.length != 3) {
-            throw new IOException(
-                "Kerberos principal name does NOT have the expected hostname part: "
-                    + serverPrincipal);
+            return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
           }
-          try {
-            saslTransport = new TSaslClientTransport(
+        } else {
+          Configuration conf = new Configuration();
+          conf.addDefaultResource("hive-site.xml");
+          // if uses SASL, authType must be only KERBEROS or MapRSasl
+          // by default uses MapRSasl
+          String authTypeStr = conf.get("hive.server2.authentication");
+          if (authTypeStr == null || authTypeStr.equalsIgnoreCase("MAPRSASL")) {
+            authTypeStr = "CUSTOM";
+          }
+          LOG.info("User authentication with method: " + authTypeStr);
+          RpcAuthMethod rpcAuthMethod = RpcAuthRegistry.getAuthMethod(
+            AuthenticationMethod.valueOf(AuthenticationMethod.class, authTypeStr.toUpperCase(Locale.ENGLISH)));
+          if (rpcAuthMethod == null) {
+            throw new IOException("Unsupported authentication method: " + authTypeStr);
+          }
+          if ("KERBEROS".equalsIgnoreCase(authTypeStr)) {
+            String serverPrincipal = SecurityUtil.getServerPrincipal(principalConfig, host);
+            String names[] = SaslRpcServer.splitKerberosName(serverPrincipal);
+            if (names.length != 3) {
+              throw new IOException(
+                "Kerberos principal name does NOT have the expected hostname part: "
+                  + serverPrincipal);
+            }
+            try {
+              saslTransport = new TSaslClientTransport(
                 rpcAuthMethod.getMechanismName(),
                 null,
                 names[0], names[1],
                 saslProps,
                 null,
                 underlyingTransport);
-            return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
-          } catch (SaslException se) {
-            throw new IOException("Could not instantiate SASL transport", se);
-          }
-        } else {
-          try {
-            saslTransport = new TSaslClientTransport(
+              return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
+            } catch (SaslException se) {
+              throw new IOException("Could not instantiate SASL transport", se);
+            }
+          } else {  //If it's not KERBEROS, it can be only MapRSasl
+            try {
+              saslTransport = new TSaslClientTransport(
                 rpcAuthMethod.getMechanismName(),
                 null,
                 null,
@@ -219,11 +208,13 @@ else if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.K
                 saslProps,
                 null,
                 underlyingTransport);
-            return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser()); 
-          } catch (SaslException se) {
-            throw new IOException("Could not instantiate SASL transport", se);
+              return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
+            } catch (SaslException se) {
+              throw new IOException("Could not instantiate SASL transport", se);
+            }
           }
         }
+        throw new IOException("Unsupported authentication method: " + methodStr);
       }
 
     }