Author: vgumashta Date: Mon Oct 20 06:56:03 2014 New Revision: 1633061 URL: http://svn.apache.org/r1633061 Log: HIVE-8377: Enable Kerberized SSL for HiveServer2 in http mode (Vaibhav Gumashta reviewed by Thejas Nair)
Modified: hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java Modified: hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java?rev=1633061&r1=1633060&r2=1633061&view=diff ============================================================================== --- hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java (original) +++ hive/branches/branch-0.14/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java Mon Oct 20 06:56:03 2014 @@ -258,15 +258,12 @@ public class HiveConnection implements j HttpRequestInterceptor requestInterceptor; // If Kerberos if (isKerberosAuthMode()) { - if (useSsl) { - String msg = "SSL encryption is currently not supported with " + - "kerberos authentication"; - throw new SQLException(msg, " 08S01"); - } /** * Add an interceptor which sets the appropriate header in the request. * It does the kerberos authentication and get the final service ticket, * for sending to the server before every request. + * In https mode, the entire information is encrypted + * TODO: Optimize this with a mix of kerberos + using cookie. */ requestInterceptor = new HttpKerberosRequestInterceptor( sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, getServerHttpUrl(false)); @@ -277,46 +274,46 @@ public class HiveConnection implements j * In https mode, the entire information is encrypted */ requestInterceptor = new HttpBasicAuthInterceptor(getUserName(), getPassword()); - // Configure httpClient for SSL - if (useSsl) { - String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE); - String sslTrustStorePassword = sessConfMap.get( - JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD); - KeyStore sslTrustStore; - SSLSocketFactory socketFactory; - /** - * The code within the try block throws: - * 1. SSLInitializationException - * 2. KeyStoreException - * 3. IOException - * 4. NoSuchAlgorithmException - * 5. CertificateException - * 6. KeyManagementException - * 7. UnrecoverableKeyException - * We don't want the client to retry on any of these, hence we catch all - * and throw a SQLException. - */ - try { - if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { - // Create a default socket factory based on standard JSSE trust material - socketFactory = SSLSocketFactory.getSocketFactory(); - } - else { - // Pick trust store config from the given path - sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE); - sslTrustStore.load(new FileInputStream(sslTrustStorePath), - sslTrustStorePassword.toCharArray()); - socketFactory = new SSLSocketFactory(sslTrustStore); - } - socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); - Scheme sslScheme = new Scheme("https", 443, socketFactory); - httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme); + } + // Configure httpClient for SSL + if (useSsl) { + String sslTrustStorePath = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE); + String sslTrustStorePassword = sessConfMap.get( + JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD); + KeyStore sslTrustStore; + SSLSocketFactory socketFactory; + /** + * The code within the try block throws: + * 1. SSLInitializationException + * 2. KeyStoreException + * 3. IOException + * 4. NoSuchAlgorithmException + * 5. CertificateException + * 6. KeyManagementException + * 7. UnrecoverableKeyException + * We don't want the client to retry on any of these, hence we catch all + * and throw a SQLException. + */ + try { + if (sslTrustStorePath == null || sslTrustStorePath.isEmpty()) { + // Create a default socket factory based on standard JSSE trust material + socketFactory = SSLSocketFactory.getSocketFactory(); } - catch (Exception e) { - String msg = "Could not create an https connection to " + - jdbcUriString + ". " + e.getMessage(); - throw new SQLException(msg, " 08S01", e); + else { + // Pick trust store config from the given path + sslTrustStore = KeyStore.getInstance(JdbcConnectionParams.SSL_TRUST_STORE_TYPE); + sslTrustStore.load(new FileInputStream(sslTrustStorePath), + sslTrustStorePassword.toCharArray()); + socketFactory = new SSLSocketFactory(sslTrustStore); } + socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); + Scheme sslScheme = new Scheme("https", 443, socketFactory); + httpClient.getConnectionManager().getSchemeRegistry().register(sslScheme); + } + catch (Exception e) { + String msg = "Could not create an https connection to " + + jdbcUriString + ". " + e.getMessage(); + throw new SQLException(msg, " 08S01", e); } } httpClient.addRequestInterceptor(requestInterceptor); Modified: hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java?rev=1633061&r1=1633060&r2=1633061&view=diff ============================================================================== --- hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java (original) +++ hive/branches/branch-0.14/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java Mon Oct 20 06:56:03 2014 @@ -29,12 +29,10 @@ import org.apache.hadoop.hive.shims.Shim import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.Shell; import org.apache.hive.service.auth.HiveAuthFactory; -import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes; import org.apache.hive.service.cli.CLIService; import org.apache.hive.service.cli.thrift.TCLIService.Iface; import org.apache.hive.service.server.ThreadFactoryWithGarbageCleanup; import org.apache.thrift.TProcessor; -import org.apache.thrift.TProcessorFactory; import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.protocol.TProtocolFactory; import org.apache.thrift.server.TServlet; @@ -60,9 +58,6 @@ public class ThriftHttpCLIService extend @Override public void run() { try { - // Verify config validity - verifyHttpConfiguration(hiveConf); - // HTTP Server httpServer = new org.eclipse.jetty.server.Server(); @@ -162,32 +157,4 @@ public class ThriftHttpCLIService extend } return httpPath; } - - /** - * Verify that this configuration is supported by transportMode of HTTP - * @param hiveConf - */ - private static void verifyHttpConfiguration(HiveConf hiveConf) { - String authType = hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION); - - // Error out if KERBEROS auth mode is being used and use SSL is also set to true - if(authType.equalsIgnoreCase(AuthTypes.KERBEROS.toString()) && - hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL)) { - String msg = ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting of " + - authType + " is not supported with " + - ConfVars.HIVE_SERVER2_USE_SSL + " set to true"; - LOG.fatal(msg); - throw new RuntimeException(msg); - } - - // Warn that SASL is not used in http mode - if(authType.equalsIgnoreCase(AuthTypes.NONE.toString())) { - // NONE in case of thrift mode uses SASL - LOG.warn(ConfVars.HIVE_SERVER2_AUTHENTICATION + " setting to " + - authType + ". SASL is not supported with http transport mode," + - " so using equivalent of " - + AuthTypes.NOSASL); - } - } - }