hive git commit: HIVE-17489: Separate client-facing and server-side Kerberos principals, to support HA (Thiruvel Thirumoolan, reviewed by Mithun Radhakrishnan)

Fri, 29 Sep 2017 17:59:35 -0700 

Repository: hive
Updated Branches:
  refs/heads/branch-2 da6891feb -> fdcf5603d


HIVE-17489: Separate client-facing and server-side Kerberos principals, to 
support HA (Thiruvel Thirumoolan, reviewed by Mithun Radhakrishnan)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/fdcf5603
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/fdcf5603
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/fdcf5603

Branch: refs/heads/branch-2
Commit: fdcf5603da1eb7b1e2e55b2750259093c5696b13
Parents: da6891f
Author: Mithun RK <mit...@apache.org>
Authored: Fri Sep 8 15:45:34 2017 -0700
Committer: Mithun RK <mith...@oath.com>
Committed: Fri Sep 29 17:57:40 2017 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   |  5 ++++
 .../hive/thrift/TestHadoopAuthBridge23.java     |  2 +-
 .../hadoop/hive/metastore/HiveMetaStore.java    |  3 ++-
 .../hive/service/auth/HiveAuthFactory.java      |  3 ++-
 .../hive/thrift/HadoopThriftAuthBridge.java     | 26 ++++++++++++++++----
 5 files changed, 31 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index b8052c6..7420310 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -705,6 +705,9 @@ public class HiveConf extends Configuration {
         "hive-metastore/_h...@example.com",
         "The service principal for the metastore Thrift server. \n" +
         "The special string _HOST will be replaced automatically with the 
correct host name."),
+    
METASTORE_CLIENT_KERBEROS_PRINCIPAL("hive.metastore.client.kerberos.principal",
+        "", // E.g. "hive-metastore/_h...@example.com".
+        "The Kerberos principal associated with the HA cluster of 
hcat_servers."),
     METASTORE_USE_THRIFT_SASL("hive.metastore.sasl.enabled", false,
         "If true, the metastore Thrift interface will be secured with SASL. 
Clients must authenticate with Kerberos."),
     
METASTORE_USE_THRIFT_FRAMED_TRANSPORT("hive.metastore.thrift.framed.transport.enabled",
 false,
@@ -2489,6 +2492,8 @@ public class HiveConf extends Configuration {
         "Kerberos keytab file for server principal"),
     
HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal",
 "",
         "Kerberos server principal"),
+    
HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL("hive.server2.authentication.client.kerberos.principal",
 "",
+        "Kerberos principal used by the HA hive_server2s."),
     HIVE_SERVER2_SPNEGO_KEYTAB("hive.server2.authentication.spnego.keytab", "",
         "keytab file for SPNego principal, optional,\n" +
         "typical value would look like 
/etc/security/keytabs/spnego.service.keytab,\n" +

http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java
----------------------------------------------------------------------
diff --git 
a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java
 
b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java
index 7e5005c..f5ec3d1 100644
--- 
a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java
+++ 
b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java
@@ -85,7 +85,7 @@ public class TestHadoopAuthBridge23 {
 
   private static class MyHadoopThriftAuthBridge23 extends 
HadoopThriftAuthBridge23 {
     @Override
-    public Server createServer(String keytabFile, String principalConf)
+    public Server createServer(String keytabFile, String principalConf, String 
clientConf)
     throws TTransportException {
       //Create a Server that doesn't interpret any Kerberos stuff
       return new Server();

http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
----------------------------------------------------------------------
diff --git 
a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
index 387da3c..6c9a660 100644
--- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
+++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
@@ -7170,7 +7170,8 @@ public class HiveMetaStore extends ThriftHiveMetastore {
         }
         saslServer = bridge.createServer(
             conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE),
-            conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL));
+            conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL),
+            
conf.getVar(HiveConf.ConfVars.METASTORE_CLIENT_KERBEROS_PRINCIPAL));
         // Start delegation token manager
         delegationTokenManager = new HiveDelegationTokenManager();
         delegationTokenManager.startDelegationTokenSecretManager(conf, 
baseHandler,

http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index dcb6338..d43c486 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -108,7 +108,8 @@ public class HiveAuthFactory {
       saslServer =
           ShimLoader.getHadoopThriftAuthBridge().createServer(
               conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
-              conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
+              conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL),
+              conf.getVar(ConfVars.HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL));
 
       // Start delegation token manager
       delegationTokenManager = new HiveDelegationTokenManager();

http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
----------------------------------------------------------------------
diff --git 
a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
 
b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
index c59ac5b..668bbc7 100644
--- 
a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
+++ 
b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
@@ -98,8 +98,8 @@ public abstract class HadoopThriftAuthBridge {
     }
   }
 
-  public Server createServer(String keytabFile, String principalConf) throws 
TTransportException {
-    return new Server(keytabFile, principalConf);
+  public Server createServer(String keytabFile, String principalConf, String 
clientConf) throws TTransportException {
+    return new Server(keytabFile, principalConf, clientConf);
   }
 
 
@@ -309,11 +309,13 @@ public abstract class HadoopThriftAuthBridge {
     };
 
     protected final UserGroupInformation realUgi;
+    protected final UserGroupInformation clientValidationUGI;
     protected DelegationTokenSecretManager secretManager;
 
     public Server() throws TTransportException {
       try {
         realUgi = UserGroupInformation.getCurrentUser();
+        clientValidationUGI = UserGroupInformation.getCurrentUser();
       } catch (IOException ioe) {
         throw new TTransportException(ioe);
       }
@@ -321,7 +323,7 @@ public abstract class HadoopThriftAuthBridge {
     /**
      * Create a server with a kerberos keytab/principal.
      */
-    protected Server(String keytabFile, String principalConf)
+    protected Server(String keytabFile, String principalConf, String 
clientConf)
         throws TTransportException {
       if (keytabFile == null || keytabFile.isEmpty()) {
         throw new TTransportException("No keytab specified");
@@ -329,10 +331,24 @@ public abstract class HadoopThriftAuthBridge {
       if (principalConf == null || principalConf.isEmpty()) {
         throw new TTransportException("No principal specified");
       }
+      if (clientConf == null || clientConf.isEmpty()) {
+        // Don't bust existing setups.
+        LOG.warn("Client-facing principal not set. Using server-side setting: 
" + principalConf);
+        clientConf = principalConf;
+      }
 
       // Login from the keytab
       String kerberosName;
       try {
+        LOG.info("Logging in via CLIENT based principal ");
+        kerberosName =
+            SecurityUtil.getServerPrincipal(clientConf, "0.0.0.0");
+        UserGroupInformation.loginUserFromKeytab(
+            kerberosName, keytabFile);
+        clientValidationUGI = UserGroupInformation.getLoginUser();
+        assert clientValidationUGI.isFromKeytab();
+
+        LOG.info("Logging in via SERVER based principal ");
         kerberosName =
             SecurityUtil.getServerPrincipal(principalConf, "0.0.0.0");
         UserGroupInformation.loginUserFromKeytab(
@@ -362,7 +378,7 @@ public abstract class HadoopThriftAuthBridge {
 
       TSaslServerTransport.Factory transFactory = 
createSaslServerTransportFactory(saslProps);
 
-      return new TUGIAssumingTransportFactory(transFactory, realUgi);
+      return new TUGIAssumingTransportFactory(transFactory, 
clientValidationUGI);
     }
 
     /**
@@ -374,7 +390,7 @@ public abstract class HadoopThriftAuthBridge {
     public TSaslServerTransport.Factory createSaslServerTransportFactory(
         Map<String, String> saslProps) throws TTransportException {
       // Parse out the kerberos principal, host, realm.
-      String kerberosName = realUgi.getUserName();
+      String kerberosName = clientValidationUGI.getUserName();
       final String names[] = SaslRpcServer.splitKerberosName(kerberosName);
       if (names.length != 3) {
         throw new TTransportException("Kerberos principal should have 3 parts: 
" + kerberosName);

Reply via email to