Repository: hive Updated Branches: refs/heads/branch-2.2 2e7ad5353 -> beced51e7
HIVE-17489: Separate client-facing and server-side Kerberos principals, to support HA (Thiruvel Thirumoolan, reviewed by Mithun Radhakrishnan) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/beced51e Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/beced51e Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/beced51e Branch: refs/heads/branch-2.2 Commit: beced51e7035795ce8ddc2de7b48fd908a691944 Parents: 2e7ad53 Author: Mithun RK <mit...@apache.org> Authored: Fri Sep 8 15:45:34 2017 -0700 Committer: Mithun RK <mith...@oath.com> Committed: Fri Sep 29 17:57:58 2017 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hive/conf/HiveConf.java | 5 ++++ .../hive/thrift/TestHadoopAuthBridge23.java | 2 +- .../hadoop/hive/metastore/HiveMetaStore.java | 3 ++- .../hive/service/auth/HiveAuthFactory.java | 3 ++- .../hive/thrift/HadoopThriftAuthBridge.java | 26 ++++++++++++++++---- 5 files changed, 31 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/beced51e/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index ce5ec43..69389e5 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -694,6 +694,9 @@ public class HiveConf extends Configuration { "hive-metastore/_h...@example.com", "The service principal for the metastore Thrift server. \n" + "The special string _HOST will be replaced automatically with the correct host name."), + METASTORE_CLIENT_KERBEROS_PRINCIPAL("hive.metastore.client.kerberos.principal", + "", // E.g. "hive-metastore/_h...@example.com". + "The Kerberos principal associated with the HA cluster of hcat_servers."), METASTORE_USE_THRIFT_SASL("hive.metastore.sasl.enabled", false, "If true, the metastore Thrift interface will be secured with SASL. Clients must authenticate with Kerberos."), METASTORE_USE_THRIFT_FRAMED_TRANSPORT("hive.metastore.thrift.framed.transport.enabled", false, @@ -2468,6 +2471,8 @@ public class HiveConf extends Configuration { "Kerberos keytab file for server principal"), HIVE_SERVER2_KERBEROS_PRINCIPAL("hive.server2.authentication.kerberos.principal", "", "Kerberos server principal"), + HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL("hive.server2.authentication.client.kerberos.principal", "", + "Kerberos principal used by the HA hive_server2s."), HIVE_SERVER2_SPNEGO_KEYTAB("hive.server2.authentication.spnego.keytab", "", "keytab file for SPNego principal, optional,\n" + "typical value would look like /etc/security/keytabs/spnego.service.keytab,\n" + http://git-wip-us.apache.org/repos/asf/hive/blob/beced51e/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java index 36a9ea8..1ea2264 100644 --- a/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java +++ b/itests/hive-unit-hadoop2/src/test/java/org/apache/hadoop/hive/thrift/TestHadoopAuthBridge23.java @@ -85,7 +85,7 @@ public class TestHadoopAuthBridge23 { private static class MyHadoopThriftAuthBridge23 extends HadoopThriftAuthBridge23 { @Override - public Server createServer(String keytabFile, String principalConf) + public Server createServer(String keytabFile, String principalConf, String clientConf) throws TTransportException { //Create a Server that doesn't interpret any Kerberos stuff return new Server(); http://git-wip-us.apache.org/repos/asf/hive/blob/beced51e/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java ---------------------------------------------------------------------- diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index c51a623..481b2b4 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -6874,7 +6874,8 @@ public class HiveMetaStore extends ThriftHiveMetastore { } saslServer = bridge.createServer( conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE), - conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL)); + conf.getVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL), + conf.getVar(HiveConf.ConfVars.METASTORE_CLIENT_KERBEROS_PRINCIPAL)); // Start delegation token manager delegationTokenManager = new HiveDelegationTokenManager(); delegationTokenManager.startDelegationTokenSecretManager(conf, baseHandler, http://git-wip-us.apache.org/repos/asf/hive/blob/beced51e/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java index 168ba35..87c844e 100644 --- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java +++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java @@ -123,7 +123,8 @@ public class HiveAuthFactory { saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer( conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB), - conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL)); + conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL), + conf.getVar(ConfVars.HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL)); // Start delegation token manager delegationTokenManager = new HiveDelegationTokenManager(); http://git-wip-us.apache.org/repos/asf/hive/blob/beced51e/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java ---------------------------------------------------------------------- diff --git a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java index 6d2fad9..ca37941 100644 --- a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java +++ b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java @@ -98,8 +98,8 @@ public abstract class HadoopThriftAuthBridge { } } - public Server createServer(String keytabFile, String principalConf) throws TTransportException { - return new Server(keytabFile, principalConf); + public Server createServer(String keytabFile, String principalConf, String clientConf) throws TTransportException { + return new Server(keytabFile, principalConf, clientConf); } @@ -303,11 +303,13 @@ public abstract class HadoopThriftAuthBridge { }; protected final UserGroupInformation realUgi; + protected final UserGroupInformation clientValidationUGI; protected DelegationTokenSecretManager secretManager; public Server() throws TTransportException { try { realUgi = UserGroupInformation.getCurrentUser(); + clientValidationUGI = UserGroupInformation.getCurrentUser(); } catch (IOException ioe) { throw new TTransportException(ioe); } @@ -315,7 +317,7 @@ public abstract class HadoopThriftAuthBridge { /** * Create a server with a kerberos keytab/principal. */ - protected Server(String keytabFile, String principalConf) + protected Server(String keytabFile, String principalConf, String clientConf) throws TTransportException { if (keytabFile == null || keytabFile.isEmpty()) { throw new TTransportException("No keytab specified"); @@ -323,10 +325,24 @@ public abstract class HadoopThriftAuthBridge { if (principalConf == null || principalConf.isEmpty()) { throw new TTransportException("No principal specified"); } + if (clientConf == null || clientConf.isEmpty()) { + // Don't bust existing setups. + LOG.warn("Client-facing principal not set. Using server-side setting: " + principalConf); + clientConf = principalConf; + } // Login from the keytab String kerberosName; try { + LOG.info("Logging in via CLIENT based principal "); + kerberosName = + SecurityUtil.getServerPrincipal(clientConf, "0.0.0.0"); + UserGroupInformation.loginUserFromKeytab( + kerberosName, keytabFile); + clientValidationUGI = UserGroupInformation.getLoginUser(); + assert clientValidationUGI.isFromKeytab(); + + LOG.info("Logging in via SERVER based principal "); kerberosName = SecurityUtil.getServerPrincipal(principalConf, "0.0.0.0"); UserGroupInformation.loginUserFromKeytab( @@ -356,7 +372,7 @@ public abstract class HadoopThriftAuthBridge { TSaslServerTransport.Factory transFactory = createSaslServerTransportFactory(saslProps); - return new TUGIAssumingTransportFactory(transFactory, realUgi); + return new TUGIAssumingTransportFactory(transFactory, clientValidationUGI); } /** @@ -368,7 +384,7 @@ public abstract class HadoopThriftAuthBridge { public TSaslServerTransport.Factory createSaslServerTransportFactory( Map<String, String> saslProps) throws TTransportException { // Parse out the kerberos principal, host, realm. - String kerberosName = realUgi.getUserName(); + String kerberosName = clientValidationUGI.getUserName(); final String names[] = SaslRpcServer.splitKerberosName(kerberosName); if (names.length != 3) { throw new TTransportException("Kerberos principal should have 3 parts: " + kerberosName);
