[hive] branch master updated: HIVE-26425: Skip SSL cert verification for downloading JWKS in HS2 (#3473)

[dengzh]

This is an automated email from the ASF dual-hosted git repository.

dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
 new 7e2af57fccc HIVE-26425: Skip SSL cert verification for downloading 
JWKS in HS2 (#3473)
7e2af57fccc is described below

commit 7e2af57fccc0e22e03103119df19715e04d4e18b
Author: Yu-Wen 
AuthorDate: Tue Aug 2 08:41:09 2022 +0800

HIVE-26425: Skip SSL cert verification for downloading JWKS in HS2 (#3473)
---
 .../java/org/apache/hadoop/hive/conf/HiveConf.java |  3 ++
 .../apache/hive/service/auth/jwt/JWTValidator.java |  3 +-
 .../service/auth/jwt/URLBasedJWKSProvider.java | 49 +++---
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 0d1a4b586e4..de4c0b54db0 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -4250,6 +4250,9 @@ public class HiveConf extends Configuration {
 
HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL("hive.server2.authentication.jwt.jwks.url",
 "",
 "URL of the file from where URLBasedJWKSProvider will try to load JWKS 
if JWT is enabled for the\n" +
 "authentication mode."),
+
HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_SKIP_SSL_CERT("hive.server2.authentication.jwt.jwks.skip.ssl.cert",
 false,
+"When this is enabled, the SSL certificate verification will be 
skipped.\n" +
+"This is meant to be used in a testing environment only. Do not use in 
production."),
 
 // HS2 SAML2.0 configuration
 HIVE_SERVER2_SAML_KEYSTORE_PATH("hive.server2.saml2.keystore.path", "",
diff --git 
a/service/src/java/org/apache/hive/service/auth/jwt/JWTValidator.java 
b/service/src/java/org/apache/hive/service/auth/jwt/JWTValidator.java
index a1b934fea41..80e981c7726 100644
--- a/service/src/java/org/apache/hive/service/auth/jwt/JWTValidator.java
+++ b/service/src/java/org/apache/hive/service/auth/jwt/JWTValidator.java
@@ -34,6 +34,7 @@ import org.slf4j.LoggerFactory;
 
 import javax.security.sasl.AuthenticationException;
 import java.io.IOException;
+import java.security.GeneralSecurityException;
 import java.security.Key;
 import java.text.ParseException;
 import java.util.Date;
@@ -51,7 +52,7 @@ public class JWTValidator {
 
   private final URLBasedJWKSProvider jwksProvider;
 
-  public JWTValidator(HiveConf conf) throws IOException, ParseException {
+  public JWTValidator(HiveConf conf) throws IOException, ParseException, 
GeneralSecurityException {
 this.jwksProvider = new URLBasedJWKSProvider(conf);
   }
 
diff --git 
a/service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java 
b/service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java
index ebf99e3b889..c8dcf6b667b 100644
--- 
a/service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java
+++ 
b/service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java
@@ -24,12 +24,22 @@ import com.nimbusds.jose.jwk.JWKMatcher;
 import com.nimbusds.jose.jwk.JWKSelector;
 import com.nimbusds.jose.jwk.JWKSet;
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.http.HttpEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
 import javax.security.sasl.AuthenticationException;
 import java.io.IOException;
-import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.List;
@@ -43,7 +53,7 @@ public class URLBasedJWKSProvider {
   private final HiveConf conf;
   private List jwkSets = new ArrayList<>();
 
-  public URLBasedJWKSProvider(HiveConf conf) throws IOException, 
ParseException {
+  public URLBasedJWKSProvider(HiveConf conf) throws IOException, 
ParseException, GeneralSecurityException {
 this.conf = conf;
 loadJWKSets();
   }
@@ -52,12 +62,41 @@ public class URLBasedJWKSProvider {
* Fetches the JWKS and stores into memory. The JWKS are expected to be in 
the standard form as defined here -
* https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.
*/
-  private void loadJWKSets() throws IOException, ParseException {
+  private void loadJWKSets() throws IOException, ParseException, 
GeneralSecurityException {
 String jwksURL = HiveConf.getVar(conf, 
HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL);
+if (jwksUR

[hive] branch master updated (714c260e4a7 -> 9909edee8da)

[sankarh]

This is an automated email from the ASF dual-hosted git repository.

sankarh pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


from 714c260e4a7 HIVE-26429: Enable X locking for CTAS by default (Simhadri 
Govindappa, reviewed by Denys Kuzmenko)
 add 9909edee8da HIVE-26412: Create interface to fetch available slots and 
add the default implementation (Adesh Rao, reviewed by Laszlo Bodor, Nikhil 
Gupta, Sankar Hariappan))

No new revisions were added by this update.

Summary of changes:
 .../java/org/apache/hadoop/hive/conf/HiveConf.java |  3 ++
 ...rocessor.java => AvailableSlotsCalculator.java} | 15 
 .../hive/ql/exec/tez/HiveSplitGenerator.java   | 24 +---
 .../ql/exec/tez/TezAvailableSlotsCalculator.java   | 44 ++
 4 files changed, 64 insertions(+), 22 deletions(-)
 copy ql/src/java/org/apache/hadoop/hive/ql/exec/tez/{MapTezProcessor.java => 
AvailableSlotsCalculator.java} (72%)
 create mode 100644 
ql/src/java/org/apache/hadoop/hive/ql/exec/tez/TezAvailableSlotsCalculator.java