Repository: hive Updated Branches: refs/heads/branch-2 da6891feb -> fdcf5603d
HIVE-17489: Separate client-facing and server-side Kerberos principals, to support HA (Thiruvel Thirumoolan, reviewed by Mithun Radhakrishnan) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/fdcf5603 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/fdcf5603 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/fdcf5603 Branch: refs/heads/branch-2 Commit: fdcf5603da1eb7b1e2e55b2750259093c5696b13 Parents: da6891f Author: Mithun RK <mit...@apache.org> Authored: Fri Sep 8 15:45:34 2017 -0700 Committer: Mithun RK <mith...@oath.com> Committed: Fri Sep 29 17:57:40 2017 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hive/conf/HiveConf.java | 5 ++++ .../hive/thrift/TestHadoopAuthBridge23.java | 2 +- .../hadoop/hive/metastore/HiveMetaStore.java | 3 ++- .../hive/service/auth/HiveAuthFactory.java | 3 ++- .../hive/thrift/HadoopThriftAuthBridge.java | 26 ++++++++++++++++---- 5 files changed, 31 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index b8052c6..7420310 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -705,6 +705,9 @@ public class HiveConf extends Configuration { "hive-metastore/_h...@example.com", "The service principal for the metastore Thrift server. \n" + "The special string _HOST will be replaced automatically with the correct host name."), + METASTORE_CLIENT_KERBEROS_PRINCIPAL("hive.metastore.client.kerberos.principal", + "", // E.g. "hive-metastore/_h...@example.com". + "The Kerberos principal associated with the HA cluster of hcat_servers."), METASTORE_USE_THRIFT_SASL("hive.metastore.sasl.enabled", false, "If true, the metastore Thrift interface will be secured with SASL. Clients must authenticate with Kerberos."), METASTORE_USE_THRIFT_FRAMED_TRANSPORT("hive.metastore.thrift.framed.transport.enabled", false, @@ -2489,6 +2492,8 @@ public class HiveConf extends Configuration { "Kerberos keytab file for server principal"), HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", "", "Kerberos server principal"), + HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL("hive.server2.authentication.client.kerberos.principal", "", + "Kerberos principal used by the HA hive_server2s."), HIVE_SERVER2_SPNEGO_KEYTAB("hive.server2.authentication.spnego.keytab", "", "keytab file for SPNego principal, optional,\n" + "typical value would look like /etc/security/keytabs/spnego.service.keytab,\n" + http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java index 7e5005c..f5ec3d1 100644 --- a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java +++ b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java @@ -85,7 +85,7 @@ public class TestHadoopAuthBridge23 { private static class MyHadoopThriftAuthBridge23 extends HadoopThriftAuthBridge23 { @Override - public Server createServer(String keytabFile, String principalConf) + public Server createServer(String keytabFile, String principalConf, String clientConf) throws TTransportException { //Create a Server that doesn't interpret any Kerberos stuff return new Server(); http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java ---------------------------------------------------------------------- diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 387da3c..6c9a660 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -7170,7 +7170,8 @@ public class HiveMetaStore extends ThriftHiveMetastore { } saslServer = bridge.createServer( conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE), - conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL)); + conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL), + conf.getVar(HiveConf.ConfVars.METASTORE_CLIENT_KERBEROS_PRINCIPAL)); // Start delegation token manager delegationTokenManager = new HiveDelegationTokenManager(); delegationTokenManager.startDelegationTokenSecretManager(conf, baseHandler, http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index dcb6338..d43c486 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -108,7 +108,8 @@ public class HiveAuthFactory { saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer( conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB), - conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL)); + conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL), + conf.getVar(ConfVars.HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL)); // Start delegation token manager delegationTokenManager = new HiveDelegationTokenManager(); http://git-wip-us.apache.org/repos/asf/hive/blob/fdcf5603/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java ---------------------------------------------------------------------- diff --git a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java index c59ac5b..668bbc7 100644 --- a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java +++ b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java @@ -98,8 +98,8 @@ public abstract class HadoopThriftAuthBridge { } } - public Server createServer(String keytabFile, String principalConf) throws TTransportException { - return new Server(keytabFile, principalConf); + public Server createServer(String keytabFile, String principalConf, String clientConf) throws TTransportException { + return new Server(keytabFile, principalConf, clientConf); } @@ -309,11 +309,13 @@ public abstract class HadoopThriftAuthBridge { }; protected final UserGroupInformation realUgi; + protected final UserGroupInformation clientValidationUGI; protected DelegationTokenSecretManager secretManager; public Server() throws TTransportException { try { realUgi = UserGroupInformation.getCurrentUser(); + clientValidationUGI = UserGroupInformation.getCurrentUser(); } catch (IOException ioe) { throw new TTransportException(ioe); } @@ -321,7 +323,7 @@ public abstract class HadoopThriftAuthBridge { /** * Create a server with a kerberos keytab/principal. */ - protected Server(String keytabFile, String principalConf) + protected Server(String keytabFile, String principalConf, String clientConf) throws TTransportException { if (keytabFile == null || keytabFile.isEmpty()) { throw new TTransportException("No keytab specified"); @@ -329,10 +331,24 @@ public abstract class HadoopThriftAuthBridge { if (principalConf == null || principalConf.isEmpty()) { throw new TTransportException("No principal specified"); } + if (clientConf == null || clientConf.isEmpty()) { + // Don't bust existing setups. + LOG.warn("Client-facing principal not set. Using server-side setting: " + principalConf); + clientConf = principalConf; + } // Login from the keytab String kerberosName; try { + LOG.info("Logging in via CLIENT based principal "); + kerberosName = + SecurityUtil.getServerPrincipal(clientConf, "0.0.0.0"); + UserGroupInformation.loginUserFromKeytab( + kerberosName, keytabFile); + clientValidationUGI = UserGroupInformation.getLoginUser(); + assert clientValidationUGI.isFromKeytab(); + + LOG.info("Logging in via SERVER based principal "); kerberosName = SecurityUtil.getServerPrincipal(principalConf, "0.0.0.0"); UserGroupInformation.loginUserFromKeytab( @@ -362,7 +378,7 @@ public abstract class HadoopThriftAuthBridge { TSaslServerTransport.Factory transFactory = createSaslServerTransportFactory(saslProps); - return new TUGIAssumingTransportFactory(transFactory, realUgi); + return new TUGIAssumingTransportFactory(transFactory, clientValidationUGI); } /** @@ -374,7 +390,7 @@ public abstract class HadoopThriftAuthBridge { public TSaslServerTransport.Factory createSaslServerTransportFactory( Map<String, String> saslProps) throws TTransportException { // Parse out the kerberos principal, host, realm. - String kerberosName = realUgi.getUserName(); + String kerberosName = clientValidationUGI.getUserName(); final String names[] = SaslRpcServer.splitKerberosName(kerberosName); if (names.length != 3) { throw new TTransportException("Kerberos principal should have 3 parts: " + kerberosName);