(hive) branch master updated: HIVE-28778: Support Secure Zookeeper Access in Hive SecretManager (#5657). (Tanishq Chugh, reviewed by Ayush Saxena)

Fri, 28 Feb 2025 19:11:51 -0800 

This is an automated email from the ASF dual-hosted git repository.

ayushsaxena pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 0fcbe7b1af4 HIVE-28778: Support Secure Zookeeper Access in Hive 
SecretManager (#5657). (Tanishq Chugh, reviewed by Ayush Saxena)
0fcbe7b1af4 is described below

commit 0fcbe7b1af410cb371ffe5b7b6cc6b92b3886d35
Author: Tanishq Chugh <[email protected]>
AuthorDate: Sat Mar 1 08:23:12 2025 +0530

    HIVE-28778: Support Secure Zookeeper Access in Hive SecretManager (#5657). 
(Tanishq Chugh, reviewed by Ayush Saxena)
---
 .../java/org/apache/hadoop/hive/conf/HiveConf.java | 15 +++++++++
 .../hadoop/hive/llap/security/SecretManager.java   | 38 ++++++++++++++++++----
 2 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 31dc00f4019..23a46db3e2f 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -415,6 +415,11 @@ private static void populateLlapDaemonVarsSet(Set<String> 
llapDaemonVarsSetLocal
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_KERBEROS_PRINCIPAL.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_KERBEROS_KEYTAB_FILE.varname);
     
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING.varname);
+    
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED.varname);
+    
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_LOCATION.varname);
+    
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_PASSWORD.varname);
+    
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_LOCATION.varname);
+    
llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_PASSWORD.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_ACL.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL_DENY.varname);
@@ -5192,6 +5197,16 @@ public static enum ConfVars {
         "By default, the clients are required to provide tokens to access 
HDFS/etc."),
     LLAP_ZKSM_ZK_CONNECTION_STRING("hive.llap.zk.sm.connectionString", "",
         "ZooKeeper connection string for ZooKeeper SecretManager."),
+    LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED("hive.llap.zk.sm.ssl.enabled", false,
+            "Secure ZooKeeper connection enabled for ZooKeeper 
SecretManager."),
+    
LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_LOCATION("hive.llap.zk.sm.ssl.keystore.location",
 "",
+            "Keystore location for secure ZooKeeper connection for ZooKeeper 
SecretManager."),
+    
LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_PASSWORD("hive.llap.zk.sm.ssl.keystore.password",
 "",
+            "Keystore password for secure ZooKeeper connection for ZooKeeper 
SecretManager."),
+    
LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_LOCATION("hive.llap.zk.sm.ssl.truststore.location",
 "",
+            "Truststore location for secure ZooKeeper connection for ZooKeeper 
SecretManager."),
+    
LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_PASSWORD("hive.llap.zk.sm.ssl.truststore.password",
 "",
+            "Truststore password for secure ZooKeeper connection for ZooKeeper 
SecretManager."),
     LLAP_ZKSM_ZK_SESSION_TIMEOUT("hive.llap.zk.sm.session.timeout", "40s", new 
TimeValidator(
         TimeUnit.MILLISECONDS), "ZooKeeper session timeout for ZK 
SecretManager."),
     LLAP_ZK_REGISTRY_USER("hive.llap.zk.registry.user", "",
diff --git 
a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java 
b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
index 78a1d4870bf..5a01076807c 100644
--- 
a/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
+++ 
b/llap-common/src/java/org/apache/hadoop/hive/llap/security/SecretManager.java
@@ -24,11 +24,9 @@
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 
-import org.apache.curator.ensemble.fixed.FixedEnsembleProvider;
 import org.apache.curator.framework.CuratorFramework;
-import org.apache.curator.framework.CuratorFrameworkFactory;
-import org.apache.curator.retry.RetryOneTime;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.common.ZooKeeperHiveHelper;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.llap.LlapUtil;
@@ -201,6 +199,19 @@ private static LlapZkConf createLlapZkConf(
     setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_CONNECTION_STRING,
         HiveConf.getVar(zkConf, ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING));
 
+    if (HiveConf.getBoolVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED)) {
+      setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_SSL_ENABLED,
+              HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED));
+      setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_SSL_KEYSTORE_LOCATION,
+              HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_LOCATION));
+      setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_SSL_KEYSTORE_PASSWORD,
+              HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_PASSWORD));
+      setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_SSL_TRUSTSTORE_LOCATION,
+              HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_LOCATION));
+      setZkConfIfNotSet(zkConf, ZK_DTSM_ZK_SSL_TRUSTSTORE_PASSWORD,
+              HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_PASSWORD));
+    }
+    
     UserGroupInformation zkUgi = null;
     try {
       zkUgi = LlapUtil.loginWithKerberos(llapPrincipal, llapKeytab);
@@ -267,10 +278,23 @@ public void close() {
   private static void checkRootAcls(Configuration conf, String path, String 
user) {
     int stime = conf.getInt(ZK_DTSM_ZK_SESSION_TIMEOUT, 
ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT),
         ctime = conf.getInt(ZK_DTSM_ZK_CONNECTION_TIMEOUT, 
ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT);
-    CuratorFramework zkClient = 
CuratorFrameworkFactory.builder().namespace(null)
-        .retryPolicy(new 
RetryOneTime(10)).sessionTimeoutMs(stime).connectionTimeoutMs(ctime)
-        .ensembleProvider(new 
FixedEnsembleProvider(conf.get(ZK_DTSM_ZK_CONNECTION_STRING)))
-        .build();
+
+    CuratorFramework zkClient = null;
+    if (HiveConf.getBoolVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED)) {
+      zkClient = 
ZooKeeperHiveHelper.builder().quorum(conf.get(ZK_DTSM_ZK_CONNECTION_STRING))
+              
.maxRetries(1).baseSleepTime(10).sessionTimeout(stime).connectionTimeout(ctime)
+              .sslEnabled(HiveConf.getBoolVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_ENABLED))
+              .keyStoreLocation(HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_LOCATION))
+              .keyStorePassword(HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_KEYSTORE_PASSWORD))
+              .trustStoreLocation(HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_LOCATION))
+              .trustStorePassword(HiveConf.getVar(conf, 
ConfVars.LLAP_ZKSM_ZK_CONNECTION_SSL_TRUSTSTORE_PASSWORD))
+              .build().getNewZookeeperClient();
+    } else {
+      zkClient = 
ZooKeeperHiveHelper.builder().quorum(conf.get(ZK_DTSM_ZK_CONNECTION_STRING))
+              
.maxRetries(1).baseSleepTime(10).sessionTimeout(stime).connectionTimeout(ctime)
+              .build().getNewZookeeperClient();
+    }
+
     // Hardcoded from a private field in ZKDelegationTokenSecretManager.
     // We need to check the path under what it sets for namespace, since the 
namespace is
     // created with world ACLs.

Reply via email to