hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From amareshw...@apache.org
Subject svn commit: r1089396 [2/2] - in /hive/trunk: metastore/if/ metastore/src/gen/thrift/gen-cpp/ metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ metastore/src/gen/thrift/gen-php/hive_metastore/ metastore/src/gen/thrift/gen-py/hi...
Date Wed, 06 Apr 2011 10:49:36 GMT
Modified: hive/trunk/metastore/src/gen/thrift/gen-php/hive_metastore/ThriftHiveMetastore.php
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-php/hive_metastore/ThriftHiveMetastore.php?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-php/hive_metastore/ThriftHiveMetastore.php (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-php/hive_metastore/ThriftHiveMetastore.php Wed Apr  6 10:49:36 2011
@@ -64,8 +64,7 @@ interface ThriftHiveMetastoreIf extends 
   public function list_privileges($principal_name, $principal_type, $hiveObject);
   public function grant_privileges($privileges);
   public function revoke_privileges($privileges);
-  public function get_delegation_token($renewer_kerberos_principal_name);
-  public function get_delegation_token_with_signature($renewer_kerberos_principal_name, $token_signature);
+  public function get_delegation_token($token_owner, $renewer_kerberos_principal_name);
   public function renew_delegation_token($token_str_form);
   public function cancel_delegation_token($token_str_form);
 }
@@ -3174,15 +3173,16 @@ class ThriftHiveMetastoreClient extends 
     throw new Exception("revoke_privileges failed: unknown result");
   }
 
-  public function get_delegation_token($renewer_kerberos_principal_name)
+  public function get_delegation_token($token_owner, $renewer_kerberos_principal_name)
   {
-    $this->send_get_delegation_token($renewer_kerberos_principal_name);
+    $this->send_get_delegation_token($token_owner, $renewer_kerberos_principal_name);
     return $this->recv_get_delegation_token();
   }
 
-  public function send_get_delegation_token($renewer_kerberos_principal_name)
+  public function send_get_delegation_token($token_owner, $renewer_kerberos_principal_name)
   {
     $args = new metastore_ThriftHiveMetastore_get_delegation_token_args();
+    $args->token_owner = $token_owner;
     $args->renewer_kerberos_principal_name = $renewer_kerberos_principal_name;
     $bin_accel = ($this->output_ instanceof TProtocol::$TBINARYPROTOCOLACCELERATED) && function_exists('thrift_protocol_write_binary');
     if ($bin_accel)
@@ -3228,61 +3228,6 @@ class ThriftHiveMetastoreClient extends 
     throw new Exception("get_delegation_token failed: unknown result");
   }
 
-  public function get_delegation_token_with_signature($renewer_kerberos_principal_name, $token_signature)
-  {
-    $this->send_get_delegation_token_with_signature($renewer_kerberos_principal_name, $token_signature);
-    return $this->recv_get_delegation_token_with_signature();
-  }
-
-  public function send_get_delegation_token_with_signature($renewer_kerberos_principal_name, $token_signature)
-  {
-    $args = new metastore_ThriftHiveMetastore_get_delegation_token_with_signature_args();
-    $args->renewer_kerberos_principal_name = $renewer_kerberos_principal_name;
-    $args->token_signature = $token_signature;
-    $bin_accel = ($this->output_ instanceof TProtocol::$TBINARYPROTOCOLACCELERATED) && function_exists('thrift_protocol_write_binary');
-    if ($bin_accel)
-    {
-      thrift_protocol_write_binary($this->output_, 'get_delegation_token_with_signature', TMessageType::CALL, $args, $this->seqid_, $this->output_->isStrictWrite());
-    }
-    else
-    {
-      $this->output_->writeMessageBegin('get_delegation_token_with_signature', TMessageType::CALL, $this->seqid_);
-      $args->write($this->output_);
-      $this->output_->writeMessageEnd();
-      $this->output_->getTransport()->flush();
-    }
-  }
-
-  public function recv_get_delegation_token_with_signature()
-  {
-    $bin_accel = ($this->input_ instanceof TProtocol::$TBINARYPROTOCOLACCELERATED) && function_exists('thrift_protocol_read_binary');
-    if ($bin_accel) $result = thrift_protocol_read_binary($this->input_, 'metastore_ThriftHiveMetastore_get_delegation_token_with_signature_result', $this->input_->isStrictRead());
-    else
-    {
-      $rseqid = 0;
-      $fname = null;
-      $mtype = 0;
-
-      $this->input_->readMessageBegin($fname, $mtype, $rseqid);
-      if ($mtype == TMessageType::EXCEPTION) {
-        $x = new TApplicationException();
-        $x->read($this->input_);
-        $this->input_->readMessageEnd();
-        throw $x;
-      }
-      $result = new metastore_ThriftHiveMetastore_get_delegation_token_with_signature_result();
-      $result->read($this->input_);
-      $this->input_->readMessageEnd();
-    }
-    if ($result->success !== null) {
-      return $result->success;
-    }
-    if ($result->o1 !== null) {
-      throw $result->o1;
-    }
-    throw new Exception("get_delegation_token_with_signature failed: unknown result");
-  }
-
   public function renew_delegation_token($token_str_form)
   {
     $this->send_renew_delegation_token($token_str_form);
@@ -15760,200 +15705,34 @@ class metastore_ThriftHiveMetastore_revo
 class metastore_ThriftHiveMetastore_get_delegation_token_args {
   static $_TSPEC;
 
+  public $token_owner = null;
   public $renewer_kerberos_principal_name = null;
 
   public function __construct($vals=null) {
     if (!isset(self::$_TSPEC)) {
       self::$_TSPEC = array(
         1 => array(
-          'var' => 'renewer_kerberos_principal_name',
-          'type' => TType::STRING,
-          ),
-        );
-    }
-    if (is_array($vals)) {
-      if (isset($vals['renewer_kerberos_principal_name'])) {
-        $this->renewer_kerberos_principal_name = $vals['renewer_kerberos_principal_name'];
-      }
-    }
-  }
-
-  public function getName() {
-    return 'ThriftHiveMetastore_get_delegation_token_args';
-  }
-
-  public function read($input)
-  {
-    $xfer = 0;
-    $fname = null;
-    $ftype = 0;
-    $fid = 0;
-    $xfer += $input->readStructBegin($fname);
-    while (true)
-    {
-      $xfer += $input->readFieldBegin($fname, $ftype, $fid);
-      if ($ftype == TType::STOP) {
-        break;
-      }
-      switch ($fid)
-      {
-        case 1:
-          if ($ftype == TType::STRING) {
-            $xfer += $input->readString($this->renewer_kerberos_principal_name);
-          } else {
-            $xfer += $input->skip($ftype);
-          }
-          break;
-        default:
-          $xfer += $input->skip($ftype);
-          break;
-      }
-      $xfer += $input->readFieldEnd();
-    }
-    $xfer += $input->readStructEnd();
-    return $xfer;
-  }
-
-  public function write($output) {
-    $xfer = 0;
-    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_args');
-    if ($this->renewer_kerberos_principal_name !== null) {
-      $xfer += $output->writeFieldBegin('renewer_kerberos_principal_name', TType::STRING, 1);
-      $xfer += $output->writeString($this->renewer_kerberos_principal_name);
-      $xfer += $output->writeFieldEnd();
-    }
-    $xfer += $output->writeFieldStop();
-    $xfer += $output->writeStructEnd();
-    return $xfer;
-  }
-
-}
-
-class metastore_ThriftHiveMetastore_get_delegation_token_result {
-  static $_TSPEC;
-
-  public $success = null;
-  public $o1 = null;
-
-  public function __construct($vals=null) {
-    if (!isset(self::$_TSPEC)) {
-      self::$_TSPEC = array(
-        0 => array(
-          'var' => 'success',
-          'type' => TType::STRING,
-          ),
-        1 => array(
-          'var' => 'o1',
-          'type' => TType::STRUCT,
-          'class' => 'metastore_MetaException',
-          ),
-        );
-    }
-    if (is_array($vals)) {
-      if (isset($vals['success'])) {
-        $this->success = $vals['success'];
-      }
-      if (isset($vals['o1'])) {
-        $this->o1 = $vals['o1'];
-      }
-    }
-  }
-
-  public function getName() {
-    return 'ThriftHiveMetastore_get_delegation_token_result';
-  }
-
-  public function read($input)
-  {
-    $xfer = 0;
-    $fname = null;
-    $ftype = 0;
-    $fid = 0;
-    $xfer += $input->readStructBegin($fname);
-    while (true)
-    {
-      $xfer += $input->readFieldBegin($fname, $ftype, $fid);
-      if ($ftype == TType::STOP) {
-        break;
-      }
-      switch ($fid)
-      {
-        case 0:
-          if ($ftype == TType::STRING) {
-            $xfer += $input->readString($this->success);
-          } else {
-            $xfer += $input->skip($ftype);
-          }
-          break;
-        case 1:
-          if ($ftype == TType::STRUCT) {
-            $this->o1 = new metastore_MetaException();
-            $xfer += $this->o1->read($input);
-          } else {
-            $xfer += $input->skip($ftype);
-          }
-          break;
-        default:
-          $xfer += $input->skip($ftype);
-          break;
-      }
-      $xfer += $input->readFieldEnd();
-    }
-    $xfer += $input->readStructEnd();
-    return $xfer;
-  }
-
-  public function write($output) {
-    $xfer = 0;
-    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_result');
-    if ($this->success !== null) {
-      $xfer += $output->writeFieldBegin('success', TType::STRING, 0);
-      $xfer += $output->writeString($this->success);
-      $xfer += $output->writeFieldEnd();
-    }
-    if ($this->o1 !== null) {
-      $xfer += $output->writeFieldBegin('o1', TType::STRUCT, 1);
-      $xfer += $this->o1->write($output);
-      $xfer += $output->writeFieldEnd();
-    }
-    $xfer += $output->writeFieldStop();
-    $xfer += $output->writeStructEnd();
-    return $xfer;
-  }
-
-}
-
-class metastore_ThriftHiveMetastore_get_delegation_token_with_signature_args {
-  static $_TSPEC;
-
-  public $renewer_kerberos_principal_name = null;
-  public $token_signature = null;
-
-  public function __construct($vals=null) {
-    if (!isset(self::$_TSPEC)) {
-      self::$_TSPEC = array(
-        1 => array(
-          'var' => 'renewer_kerberos_principal_name',
+          'var' => 'token_owner',
           'type' => TType::STRING,
           ),
         2 => array(
-          'var' => 'token_signature',
+          'var' => 'renewer_kerberos_principal_name',
           'type' => TType::STRING,
           ),
         );
     }
     if (is_array($vals)) {
+      if (isset($vals['token_owner'])) {
+        $this->token_owner = $vals['token_owner'];
+      }
       if (isset($vals['renewer_kerberos_principal_name'])) {
         $this->renewer_kerberos_principal_name = $vals['renewer_kerberos_principal_name'];
       }
-      if (isset($vals['token_signature'])) {
-        $this->token_signature = $vals['token_signature'];
-      }
     }
   }
 
   public function getName() {
-    return 'ThriftHiveMetastore_get_delegation_token_with_signature_args';
+    return 'ThriftHiveMetastore_get_delegation_token_args';
   }
 
   public function read($input)
@@ -15973,14 +15752,14 @@ class metastore_ThriftHiveMetastore_get_
       {
         case 1:
           if ($ftype == TType::STRING) {
-            $xfer += $input->readString($this->renewer_kerberos_principal_name);
+            $xfer += $input->readString($this->token_owner);
           } else {
             $xfer += $input->skip($ftype);
           }
           break;
         case 2:
           if ($ftype == TType::STRING) {
-            $xfer += $input->readString($this->token_signature);
+            $xfer += $input->readString($this->renewer_kerberos_principal_name);
           } else {
             $xfer += $input->skip($ftype);
           }
@@ -15997,15 +15776,15 @@ class metastore_ThriftHiveMetastore_get_
 
   public function write($output) {
     $xfer = 0;
-    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_with_signature_args');
-    if ($this->renewer_kerberos_principal_name !== null) {
-      $xfer += $output->writeFieldBegin('renewer_kerberos_principal_name', TType::STRING, 1);
-      $xfer += $output->writeString($this->renewer_kerberos_principal_name);
+    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_args');
+    if ($this->token_owner !== null) {
+      $xfer += $output->writeFieldBegin('token_owner', TType::STRING, 1);
+      $xfer += $output->writeString($this->token_owner);
       $xfer += $output->writeFieldEnd();
     }
-    if ($this->token_signature !== null) {
-      $xfer += $output->writeFieldBegin('token_signature', TType::STRING, 2);
-      $xfer += $output->writeString($this->token_signature);
+    if ($this->renewer_kerberos_principal_name !== null) {
+      $xfer += $output->writeFieldBegin('renewer_kerberos_principal_name', TType::STRING, 2);
+      $xfer += $output->writeString($this->renewer_kerberos_principal_name);
       $xfer += $output->writeFieldEnd();
     }
     $xfer += $output->writeFieldStop();
@@ -16015,7 +15794,7 @@ class metastore_ThriftHiveMetastore_get_
 
 }
 
-class metastore_ThriftHiveMetastore_get_delegation_token_with_signature_result {
+class metastore_ThriftHiveMetastore_get_delegation_token_result {
   static $_TSPEC;
 
   public $success = null;
@@ -16046,7 +15825,7 @@ class metastore_ThriftHiveMetastore_get_
   }
 
   public function getName() {
-    return 'ThriftHiveMetastore_get_delegation_token_with_signature_result';
+    return 'ThriftHiveMetastore_get_delegation_token_result';
   }
 
   public function read($input)
@@ -16091,7 +15870,7 @@ class metastore_ThriftHiveMetastore_get_
 
   public function write($output) {
     $xfer = 0;
-    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_with_signature_result');
+    $xfer += $output->writeStructBegin('ThriftHiveMetastore_get_delegation_token_result');
     if ($this->success !== null) {
       $xfer += $output->writeFieldBegin('success', TType::STRING, 0);
       $xfer += $output->writeString($this->success);

Modified: hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote Wed Apr  6 10:49:36 2011
@@ -75,8 +75,7 @@ if len(sys.argv) <= 1 or sys.argv[1] == 
   print '   list_privileges(string principal_name, PrincipalType principal_type, HiveObjectRef hiveObject)'
   print '  bool grant_privileges(PrivilegeBag privileges)'
   print '  bool revoke_privileges(PrivilegeBag privileges)'
-  print '  string get_delegation_token(string renewer_kerberos_principal_name)'
-  print '  string get_delegation_token_with_signature(string renewer_kerberos_principal_name, string token_signature)'
+  print '  string get_delegation_token(string token_owner, string renewer_kerberos_principal_name)'
   print '  i64 renew_delegation_token(string token_str_form)'
   print '  void cancel_delegation_token(string token_str_form)'
   print ''
@@ -454,16 +453,10 @@ elif cmd == 'revoke_privileges':
   pp.pprint(client.revoke_privileges(eval(args[0]),))
 
 elif cmd == 'get_delegation_token':
-  if len(args) != 1:
-    print 'get_delegation_token requires 1 args'
-    sys.exit(1)
-  pp.pprint(client.get_delegation_token(args[0],))
-
-elif cmd == 'get_delegation_token_with_signature':
   if len(args) != 2:
-    print 'get_delegation_token_with_signature requires 2 args'
+    print 'get_delegation_token requires 2 args'
     sys.exit(1)
-  pp.pprint(client.get_delegation_token_with_signature(args[0],args[1],))
+  pp.pprint(client.get_delegation_token(args[0],args[1],))
 
 elif cmd == 'renew_delegation_token':
   if len(args) != 1:

Modified: hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py Wed Apr  6 10:49:36 2011
@@ -470,21 +470,14 @@ class Iface(fb303.FacebookService.Iface)
     """
     pass
 
-  def get_delegation_token(self, renewer_kerberos_principal_name):
+  def get_delegation_token(self, token_owner, renewer_kerberos_principal_name):
     """
     Parameters:
+     - token_owner
      - renewer_kerberos_principal_name
     """
     pass
 
-  def get_delegation_token_with_signature(self, renewer_kerberos_principal_name, token_signature):
-    """
-    Parameters:
-     - renewer_kerberos_principal_name
-     - token_signature
-    """
-    pass
-
   def renew_delegation_token(self, token_str_form):
     """
     Parameters:
@@ -2455,17 +2448,19 @@ class Client(fb303.FacebookService.Clien
       raise result.o1
     raise TApplicationException(TApplicationException.MISSING_RESULT, "revoke_privileges failed: unknown result");
 
-  def get_delegation_token(self, renewer_kerberos_principal_name):
+  def get_delegation_token(self, token_owner, renewer_kerberos_principal_name):
     """
     Parameters:
+     - token_owner
      - renewer_kerberos_principal_name
     """
-    self.send_get_delegation_token(renewer_kerberos_principal_name)
+    self.send_get_delegation_token(token_owner, renewer_kerberos_principal_name)
     return self.recv_get_delegation_token()
 
-  def send_get_delegation_token(self, renewer_kerberos_principal_name):
+  def send_get_delegation_token(self, token_owner, renewer_kerberos_principal_name):
     self._oprot.writeMessageBegin('get_delegation_token', TMessageType.CALL, self._seqid)
     args = get_delegation_token_args()
+    args.token_owner = token_owner
     args.renewer_kerberos_principal_name = renewer_kerberos_principal_name
     args.write(self._oprot)
     self._oprot.writeMessageEnd()
@@ -2487,40 +2482,6 @@ class Client(fb303.FacebookService.Clien
       raise result.o1
     raise TApplicationException(TApplicationException.MISSING_RESULT, "get_delegation_token failed: unknown result");
 
-  def get_delegation_token_with_signature(self, renewer_kerberos_principal_name, token_signature):
-    """
-    Parameters:
-     - renewer_kerberos_principal_name
-     - token_signature
-    """
-    self.send_get_delegation_token_with_signature(renewer_kerberos_principal_name, token_signature)
-    return self.recv_get_delegation_token_with_signature()
-
-  def send_get_delegation_token_with_signature(self, renewer_kerberos_principal_name, token_signature):
-    self._oprot.writeMessageBegin('get_delegation_token_with_signature', TMessageType.CALL, self._seqid)
-    args = get_delegation_token_with_signature_args()
-    args.renewer_kerberos_principal_name = renewer_kerberos_principal_name
-    args.token_signature = token_signature
-    args.write(self._oprot)
-    self._oprot.writeMessageEnd()
-    self._oprot.trans.flush()
-
-  def recv_get_delegation_token_with_signature(self, ):
-    (fname, mtype, rseqid) = self._iprot.readMessageBegin()
-    if mtype == TMessageType.EXCEPTION:
-      x = TApplicationException()
-      x.read(self._iprot)
-      self._iprot.readMessageEnd()
-      raise x
-    result = get_delegation_token_with_signature_result()
-    result.read(self._iprot)
-    self._iprot.readMessageEnd()
-    if result.success != None:
-      return result.success
-    if result.o1 != None:
-      raise result.o1
-    raise TApplicationException(TApplicationException.MISSING_RESULT, "get_delegation_token_with_signature failed: unknown result");
-
   def renew_delegation_token(self, token_str_form):
     """
     Parameters:
@@ -2642,7 +2603,6 @@ class Processor(fb303.FacebookService.Pr
     self._processMap["grant_privileges"] = Processor.process_grant_privileges
     self._processMap["revoke_privileges"] = Processor.process_revoke_privileges
     self._processMap["get_delegation_token"] = Processor.process_get_delegation_token
-    self._processMap["get_delegation_token_with_signature"] = Processor.process_get_delegation_token_with_signature
     self._processMap["renew_delegation_token"] = Processor.process_renew_delegation_token
     self._processMap["cancel_delegation_token"] = Processor.process_cancel_delegation_token
 
@@ -3509,7 +3469,7 @@ class Processor(fb303.FacebookService.Pr
     iprot.readMessageEnd()
     result = get_delegation_token_result()
     try:
-      result.success = self._handler.get_delegation_token(args.renewer_kerberos_principal_name)
+      result.success = self._handler.get_delegation_token(args.token_owner, args.renewer_kerberos_principal_name)
     except MetaException, o1:
       result.o1 = o1
     oprot.writeMessageBegin("get_delegation_token", TMessageType.REPLY, seqid)
@@ -3517,20 +3477,6 @@ class Processor(fb303.FacebookService.Pr
     oprot.writeMessageEnd()
     oprot.trans.flush()
 
-  def process_get_delegation_token_with_signature(self, seqid, iprot, oprot):
-    args = get_delegation_token_with_signature_args()
-    args.read(iprot)
-    iprot.readMessageEnd()
-    result = get_delegation_token_with_signature_result()
-    try:
-      result.success = self._handler.get_delegation_token_with_signature(args.renewer_kerberos_principal_name, args.token_signature)
-    except MetaException, o1:
-      result.o1 = o1
-    oprot.writeMessageBegin("get_delegation_token_with_signature", TMessageType.REPLY, seqid)
-    result.write(oprot)
-    oprot.writeMessageEnd()
-    oprot.trans.flush()
-
   def process_renew_delegation_token(self, seqid, iprot, oprot):
     args = renew_delegation_token_args()
     args.read(iprot)
@@ -12295,15 +12241,18 @@ class revoke_privileges_result:
 class get_delegation_token_args:
   """
   Attributes:
+   - token_owner
    - renewer_kerberos_principal_name
   """
 
   thrift_spec = (
     None, # 0
-    (1, TType.STRING, 'renewer_kerberos_principal_name', None, None, ), # 1
+    (1, TType.STRING, 'token_owner', None, None, ), # 1
+    (2, TType.STRING, 'renewer_kerberos_principal_name', None, None, ), # 2
   )
 
-  def __init__(self, renewer_kerberos_principal_name=None,):
+  def __init__(self, token_owner=None, renewer_kerberos_principal_name=None,):
+    self.token_owner = token_owner
     self.renewer_kerberos_principal_name = renewer_kerberos_principal_name
 
   def read(self, iprot):
@@ -12317,145 +12266,12 @@ class get_delegation_token_args:
         break
       if fid == 1:
         if ftype == TType.STRING:
-          self.renewer_kerberos_principal_name = iprot.readString();
-        else:
-          iprot.skip(ftype)
-      else:
-        iprot.skip(ftype)
-      iprot.readFieldEnd()
-    iprot.readStructEnd()
-
-  def write(self, oprot):
-    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
-      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
-      return
-    oprot.writeStructBegin('get_delegation_token_args')
-    if self.renewer_kerberos_principal_name != None:
-      oprot.writeFieldBegin('renewer_kerberos_principal_name', TType.STRING, 1)
-      oprot.writeString(self.renewer_kerberos_principal_name)
-      oprot.writeFieldEnd()
-    oprot.writeFieldStop()
-    oprot.writeStructEnd()
-    def validate(self):
-      return
-
-
-  def __repr__(self):
-    L = ['%s=%r' % (key, value)
-      for key, value in self.__dict__.iteritems()]
-    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
-
-  def __eq__(self, other):
-    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
-
-  def __ne__(self, other):
-    return not (self == other)
-
-class get_delegation_token_result:
-  """
-  Attributes:
-   - success
-   - o1
-  """
-
-  thrift_spec = (
-    (0, TType.STRING, 'success', None, None, ), # 0
-    (1, TType.STRUCT, 'o1', (MetaException, MetaException.thrift_spec), None, ), # 1
-  )
-
-  def __init__(self, success=None, o1=None,):
-    self.success = success
-    self.o1 = o1
-
-  def read(self, iprot):
-    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
-      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
-      return
-    iprot.readStructBegin()
-    while True:
-      (fname, ftype, fid) = iprot.readFieldBegin()
-      if ftype == TType.STOP:
-        break
-      if fid == 0:
-        if ftype == TType.STRING:
-          self.success = iprot.readString();
-        else:
-          iprot.skip(ftype)
-      elif fid == 1:
-        if ftype == TType.STRUCT:
-          self.o1 = MetaException()
-          self.o1.read(iprot)
-        else:
-          iprot.skip(ftype)
-      else:
-        iprot.skip(ftype)
-      iprot.readFieldEnd()
-    iprot.readStructEnd()
-
-  def write(self, oprot):
-    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
-      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
-      return
-    oprot.writeStructBegin('get_delegation_token_result')
-    if self.success != None:
-      oprot.writeFieldBegin('success', TType.STRING, 0)
-      oprot.writeString(self.success)
-      oprot.writeFieldEnd()
-    if self.o1 != None:
-      oprot.writeFieldBegin('o1', TType.STRUCT, 1)
-      self.o1.write(oprot)
-      oprot.writeFieldEnd()
-    oprot.writeFieldStop()
-    oprot.writeStructEnd()
-    def validate(self):
-      return
-
-
-  def __repr__(self):
-    L = ['%s=%r' % (key, value)
-      for key, value in self.__dict__.iteritems()]
-    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
-
-  def __eq__(self, other):
-    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
-
-  def __ne__(self, other):
-    return not (self == other)
-
-class get_delegation_token_with_signature_args:
-  """
-  Attributes:
-   - renewer_kerberos_principal_name
-   - token_signature
-  """
-
-  thrift_spec = (
-    None, # 0
-    (1, TType.STRING, 'renewer_kerberos_principal_name', None, None, ), # 1
-    (2, TType.STRING, 'token_signature', None, None, ), # 2
-  )
-
-  def __init__(self, renewer_kerberos_principal_name=None, token_signature=None,):
-    self.renewer_kerberos_principal_name = renewer_kerberos_principal_name
-    self.token_signature = token_signature
-
-  def read(self, iprot):
-    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
-      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
-      return
-    iprot.readStructBegin()
-    while True:
-      (fname, ftype, fid) = iprot.readFieldBegin()
-      if ftype == TType.STOP:
-        break
-      if fid == 1:
-        if ftype == TType.STRING:
-          self.renewer_kerberos_principal_name = iprot.readString();
+          self.token_owner = iprot.readString();
         else:
           iprot.skip(ftype)
       elif fid == 2:
         if ftype == TType.STRING:
-          self.token_signature = iprot.readString();
+          self.renewer_kerberos_principal_name = iprot.readString();
         else:
           iprot.skip(ftype)
       else:
@@ -12467,15 +12283,15 @@ class get_delegation_token_with_signatur
     if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
       oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
       return
-    oprot.writeStructBegin('get_delegation_token_with_signature_args')
+    oprot.writeStructBegin('get_delegation_token_args')
+    if self.token_owner != None:
+      oprot.writeFieldBegin('token_owner', TType.STRING, 1)
+      oprot.writeString(self.token_owner)
+      oprot.writeFieldEnd()
     if self.renewer_kerberos_principal_name != None:
-      oprot.writeFieldBegin('renewer_kerberos_principal_name', TType.STRING, 1)
+      oprot.writeFieldBegin('renewer_kerberos_principal_name', TType.STRING, 2)
       oprot.writeString(self.renewer_kerberos_principal_name)
       oprot.writeFieldEnd()
-    if self.token_signature != None:
-      oprot.writeFieldBegin('token_signature', TType.STRING, 2)
-      oprot.writeString(self.token_signature)
-      oprot.writeFieldEnd()
     oprot.writeFieldStop()
     oprot.writeStructEnd()
     def validate(self):
@@ -12493,7 +12309,7 @@ class get_delegation_token_with_signatur
   def __ne__(self, other):
     return not (self == other)
 
-class get_delegation_token_with_signature_result:
+class get_delegation_token_result:
   """
   Attributes:
    - success
@@ -12538,7 +12354,7 @@ class get_delegation_token_with_signatur
     if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
       oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
       return
-    oprot.writeStructBegin('get_delegation_token_with_signature_result')
+    oprot.writeStructBegin('get_delegation_token_result')
     if self.success != None:
       oprot.writeFieldBegin('success', TType.STRING, 0)
       oprot.writeString(self.success)

Modified: hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb Wed Apr  6 10:49:36 2011
@@ -911,13 +911,13 @@ module ThriftHiveMetastore
       raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'revoke_privileges failed: unknown result')
     end
 
-    def get_delegation_token(renewer_kerberos_principal_name)
-      send_get_delegation_token(renewer_kerberos_principal_name)
+    def get_delegation_token(token_owner, renewer_kerberos_principal_name)
+      send_get_delegation_token(token_owner, renewer_kerberos_principal_name)
       return recv_get_delegation_token()
     end
 
-    def send_get_delegation_token(renewer_kerberos_principal_name)
-      send_message('get_delegation_token', Get_delegation_token_args, :renewer_kerberos_principal_name => renewer_kerberos_principal_name)
+    def send_get_delegation_token(token_owner, renewer_kerberos_principal_name)
+      send_message('get_delegation_token', Get_delegation_token_args, :token_owner => token_owner, :renewer_kerberos_principal_name => renewer_kerberos_principal_name)
     end
 
     def recv_get_delegation_token()
@@ -927,22 +927,6 @@ module ThriftHiveMetastore
       raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'get_delegation_token failed: unknown result')
     end
 
-    def get_delegation_token_with_signature(renewer_kerberos_principal_name, token_signature)
-      send_get_delegation_token_with_signature(renewer_kerberos_principal_name, token_signature)
-      return recv_get_delegation_token_with_signature()
-    end
-
-    def send_get_delegation_token_with_signature(renewer_kerberos_principal_name, token_signature)
-      send_message('get_delegation_token_with_signature', Get_delegation_token_with_signature_args, :renewer_kerberos_principal_name => renewer_kerberos_principal_name, :token_signature => token_signature)
-    end
-
-    def recv_get_delegation_token_with_signature()
-      result = receive_message(Get_delegation_token_with_signature_result)
-      return result.success unless result.success.nil?
-      raise result.o1 unless result.o1.nil?
-      raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'get_delegation_token_with_signature failed: unknown result')
-    end
-
     def renew_delegation_token(token_str_form)
       send_renew_delegation_token(token_str_form)
       return recv_renew_delegation_token()
@@ -1663,24 +1647,13 @@ module ThriftHiveMetastore
       args = read_args(iprot, Get_delegation_token_args)
       result = Get_delegation_token_result.new()
       begin
-        result.success = @handler.get_delegation_token(args.renewer_kerberos_principal_name)
+        result.success = @handler.get_delegation_token(args.token_owner, args.renewer_kerberos_principal_name)
       rescue MetaException => o1
         result.o1 = o1
       end
       write_result(result, oprot, 'get_delegation_token', seqid)
     end
 
-    def process_get_delegation_token_with_signature(seqid, iprot, oprot)
-      args = read_args(iprot, Get_delegation_token_with_signature_args)
-      result = Get_delegation_token_with_signature_result.new()
-      begin
-        result.success = @handler.get_delegation_token_with_signature(args.renewer_kerberos_principal_name, args.token_signature)
-      rescue MetaException => o1
-        result.o1 = o1
-      end
-      write_result(result, oprot, 'get_delegation_token_with_signature', seqid)
-    end
-
     def process_renew_delegation_token(seqid, iprot, oprot)
       args = read_args(iprot, Renew_delegation_token_args)
       result = Renew_delegation_token_result.new()
@@ -3788,9 +3761,11 @@ module ThriftHiveMetastore
 
   class Get_delegation_token_args
     include ::Thrift::Struct, ::Thrift::Struct_Union
-    RENEWER_KERBEROS_PRINCIPAL_NAME = 1
+    TOKEN_OWNER = 1
+    RENEWER_KERBEROS_PRINCIPAL_NAME = 2
 
     FIELDS = {
+      TOKEN_OWNER => {:type => ::Thrift::Types::STRING, :name => 'token_owner'},
       RENEWER_KERBEROS_PRINCIPAL_NAME => {:type => ::Thrift::Types::STRING, :name => 'renewer_kerberos_principal_name'}
     }
 
@@ -3820,42 +3795,6 @@ module ThriftHiveMetastore
     ::Thrift::Struct.generate_accessors self
   end
 
-  class Get_delegation_token_with_signature_args
-    include ::Thrift::Struct, ::Thrift::Struct_Union
-    RENEWER_KERBEROS_PRINCIPAL_NAME = 1
-    TOKEN_SIGNATURE = 2
-
-    FIELDS = {
-      RENEWER_KERBEROS_PRINCIPAL_NAME => {:type => ::Thrift::Types::STRING, :name => 'renewer_kerberos_principal_name'},
-      TOKEN_SIGNATURE => {:type => ::Thrift::Types::STRING, :name => 'token_signature'}
-    }
-
-    def struct_fields; FIELDS; end
-
-    def validate
-    end
-
-    ::Thrift::Struct.generate_accessors self
-  end
-
-  class Get_delegation_token_with_signature_result
-    include ::Thrift::Struct, ::Thrift::Struct_Union
-    SUCCESS = 0
-    O1 = 1
-
-    FIELDS = {
-      SUCCESS => {:type => ::Thrift::Types::STRING, :name => 'success'},
-      O1 => {:type => ::Thrift::Types::STRUCT, :name => 'o1', :class => MetaException}
-    }
-
-    def struct_fields; FIELDS; end
-
-    def validate
-    end
-
-    ::Thrift::Struct.generate_accessors self
-  end
-
   class Renew_delegation_token_args
     include ::Thrift::Struct, ::Thrift::Struct_Union
     TOKEN_STR_FORM = 1

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java Wed Apr  6 10:49:36 2011
@@ -25,7 +25,6 @@ import static org.apache.hadoop.hive.met
 
 import java.io.IOException;
 import java.net.InetAddress;
-import java.net.Socket;
 import java.util.ArrayList;
 import java.util.Formatter;
 import java.util.HashMap;
@@ -86,12 +85,10 @@ import org.apache.hadoop.util.StringUtil
 import org.apache.thrift.TException;
 import org.apache.thrift.TProcessor;
 import org.apache.thrift.protocol.TBinaryProtocol;
-import org.apache.thrift.protocol.TProtocol;
 import org.apache.thrift.server.TServer;
 import org.apache.thrift.server.TThreadPoolServer;
 import org.apache.thrift.transport.TServerSocket;
 import org.apache.thrift.transport.TServerTransport;
-import org.apache.thrift.transport.TSocket;
 import org.apache.thrift.transport.TTransportFactory;
 
 import com.facebook.fb303.FacebookBase;
@@ -105,6 +102,7 @@ public class HiveMetaStore extends Thrif
     HiveMetaStore.class);
 
   private static HadoopThriftAuthBridge.Server saslServer;
+  private static boolean useSasl;
 
   public static class HMSHandler extends FacebookBase implements
       ThriftHiveMetastore.Iface {
@@ -148,7 +146,7 @@ public class HiveMetaStore extends Thrif
     };
 
     private final void logAuditEvent(String cmd) {
-      if (!ShimLoader.getHadoopShims().isSecureShimImpl() || cmd == null) {
+      if (!useSasl || cmd == null) {
         return;
       }
 
@@ -158,7 +156,7 @@ public class HiveMetaStore extends Thrif
       } catch (Exception ex) {
         throw new RuntimeException(ex);
       }
-      InetAddress addr = TLoggingProcessor.getRemoteAddress();
+      InetAddress addr = saslServer.getRemoteAddress();
       final Formatter fmt = auditFormatter.get();
       ((StringBuilder)fmt.out()).setLength(0);
       auditLog.info(fmt.format(AUDIT_FORMAT, ugi.getUserName(),
@@ -3028,22 +3026,6 @@ public class HiveMetaStore extends Thrif
     }
 
     @Override
-    public String get_delegation_token_with_signature(
-        String renewer_kerberos_principal_name,
-        String token_signature) throws MetaException, TException {
-      startFunction("get_delegation_token_with_signature");
-      try {
-        return
-        HiveMetaStore.getDelegationToken(renewer_kerberos_principal_name,
-            token_signature);
-      } catch(IOException e) {
-        throw new MetaException(e.getMessage());
-      } finally {
-        endFunction("get_delegation_token_with_signature");
-      }
-    }
-
-    @Override
     public long renew_delegation_token(String token_str_form)
     throws MetaException, TException {
       startFunction("renew_delegation_token");
@@ -3057,16 +3039,20 @@ public class HiveMetaStore extends Thrif
     }
 
     @Override
-    public String get_delegation_token(String renewer_kerberos_principal_name)
+    public String get_delegation_token(String token_owner,
+        String renewer_kerberos_principal_name)
     throws MetaException, TException {
-      startFunction("get_delegation_token_with_signature");
+      startFunction("get_delegation_token");
       try {
         return
-        HiveMetaStore.getDelegationToken(renewer_kerberos_principal_name);
+        HiveMetaStore.getDelegationToken(token_owner,
+            renewer_kerberos_principal_name);
       } catch(IOException e) {
         throw new MetaException(e.getMessage());
+      } catch (InterruptedException e) {
+        throw new MetaException(e.getMessage());
       } finally {
-        endFunction("get_delegation_token_with_signature");
+        endFunction("get_delegation_token");
       }
     }
 
@@ -3080,22 +3066,14 @@ public class HiveMetaStore extends Thrif
   ) throws IOException {
     saslServer.cancelDelegationToken(tokenStrForm);
   }
-  /**
-   * Get a new delegation token.
-   * @param renewer the designated renewer
-   * @param token_signature an identifier that is set as the service on the generated token
-   */
-  public static String getDelegationToken(String renewer, String token_signature
-  )throws IOException {
-    return saslServer.getDelegationToken(renewer, token_signature);
-  }
 
   /**
    * Get a new delegation token.
    * @param renewer the designated renewer
    */
-  public static String getDelegationToken(String renewer)throws IOException {
-    return saslServer.getDelegationToken(renewer);
+  public static String getDelegationToken(String owner, String renewer)
+  throws IOException, InterruptedException {
+    return saslServer.getDelegationToken(owner, renewer);
   }
   /**
    * Renew a delegation token to extend its lifetime.
@@ -3143,13 +3121,12 @@ public class HiveMetaStore extends Thrif
       int minWorkerThreads = conf.getIntVar(HiveConf.ConfVars.METASTORESERVERMINTHREADS);
       int maxWorkerThreads = conf.getIntVar(HiveConf.ConfVars.METASTORESERVERMAXTHREADS);
       boolean tcpKeepAlive = conf.getBoolVar(HiveConf.ConfVars.METASTORE_TCP_KEEP_ALIVE);
-      boolean useSasl = conf.getBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL);
+      useSasl = conf.getBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL);
 
       TServerTransport serverTransport = tcpKeepAlive ?
           new TServerSocketKeepAlive(port) : new TServerSocket(port);
 
-      TProcessor processor =
-        new TLoggingProcessor(new ThriftHiveMetastore.Processor(handler));
+      TProcessor processor = new ThriftHiveMetastore.Processor(handler);
       TTransportFactory transFactory;
       if (useSasl) {
          saslServer = bridge.createServer(
@@ -3184,29 +3161,4 @@ public class HiveMetaStore extends Thrif
       throw x;
     }
   }
-  //Assists audit logger - gets the remote client's IP address.
-  private static class TLoggingProcessor implements TProcessor {
-    private final static ThreadLocal<InetAddress> remoteAddress =
-      new ThreadLocal<InetAddress>() {
-      @Override
-      protected synchronized InetAddress initialValue() {
-        return null;
-      }
-    };
-    TProcessor wrapped;
-    TLoggingProcessor(TProcessor wrapped) {
-      this.wrapped = wrapped;
-    }
-    static InetAddress getRemoteAddress() {
-      return remoteAddress.get();
-    }
-    public boolean process(final TProtocol inProt, final TProtocol outProt)
-    throws TException {
-      if (TSocket.class.isAssignableFrom(inProt.getTransport().getClass())) {
-        Socket socket = ((TSocket)inProt.getTransport()).getSocket();
-        remoteAddress.set(socket.getInetAddress());
-      }
-      return wrapped.process(inProt, outProt);
-    }
-  }
 }

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java Wed Apr  6 10:49:36 2011
@@ -1053,25 +1053,22 @@ public class HiveMetaStoreClient impleme
     return client.list_privileges(principalName, principalType, hiveObject);
   }
 
-  @Override
-  public String getDelegationTokenWithSignature(String renewerKerberosPrincipalName,
-      String tokenSignature) throws
-  MetaException, TException {
-    if(localMetaStore) {
-      throw new UnsupportedOperationException("getDelegationToken() can be " +
-          "called only in thrift (non local) mode");
-    }
-    return client.get_delegation_token_with_signature(renewerKerberosPrincipalName, tokenSignature);
+  public String getDelegationToken(String renewerKerberosPrincipalName) throws
+  MetaException, TException, IOException {
+    //a convenience method that makes the intended owner for the delegation
+    //token request the current user
+    String owner = conf.getUser();
+    return getDelegationToken(owner, renewerKerberosPrincipalName);
   }
-
+  
   @Override
-  public String getDelegationToken(String renewerKerberosPrincipalName) throws
+  public String getDelegationToken(String owner, String renewerKerberosPrincipalName) throws
   MetaException, TException {
     if(localMetaStore) {
       throw new UnsupportedOperationException("getDelegationToken() can be " +
           "called only in thrift (non local) mode");
     }
-    return client.get_delegation_token(renewerKerberosPrincipalName);
+    return client.get_delegation_token(owner, renewerKerberosPrincipalName);
   }
 
   @Override

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java Wed Apr  6 10:49:36 2011
@@ -677,22 +677,13 @@ public interface IMetaStoreClient {
       throws MetaException, TException;
 
   /**
+   * @param owner the intended owner for the token
    * @param renewerKerberosPrincipalName
-   * @param tokenSignature
    * @return
    * @throws MetaException
    * @throws TException
    */
-  public String getDelegationTokenWithSignature(String renewerKerberosPrincipalName, String tokenSignature)
-      throws MetaException, TException;
-
-  /**
-   * @param renewerKerberosPrincipalName
-   * @return
-   * @throws MetaException
-   * @throws TException
-   */
-  public String getDelegationToken(String renewerKerberosPrincipalName)
+  public String getDelegationToken(String owner, String renewerKerberosPrincipalName)
       throws MetaException, TException;
 
   /**

Modified: hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java (original)
+++ hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java Wed Apr  6 10:49:36 2011
@@ -70,7 +70,7 @@ public class DelegationTokenSecretManage
     return renewToken(t, user);
   }
 
-  public synchronized String getDelegationToken(String renewer, String tokenSignature) throws IOException {
+  public synchronized String getDelegationToken(String renewer) throws IOException {
     UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
     Text owner = new Text(ugi.getUserName());
     Text realUser = null;
@@ -81,14 +81,7 @@ public class DelegationTokenSecretManage
       new DelegationTokenIdentifier(owner, new Text(renewer), realUser);
     Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>(
         ident, this);
-    if(tokenSignature != null) {
-      t.setService(new Text(tokenSignature));
-    }
     return t.encodeToUrlString();
   }
-
-  public synchronized String getDelegationToken(String renewer) throws IOException {
-    return getDelegationToken(renewer, null);
-  }
 }
 

Modified: hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
URL: http://svn.apache.org/viewvc/hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java (original)
+++ hive/trunk/shims/src/0.20S/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java Wed Apr  6 10:49:36 2011
@@ -18,6 +18,8 @@
 package org.apache.hadoop.hive.thrift;
 
 import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 
@@ -40,6 +42,9 @@ import org.apache.hadoop.security.SaslRp
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
@@ -48,6 +53,7 @@ import org.apache.thrift.TProcessor;
 import org.apache.thrift.protocol.TProtocol;
 import org.apache.thrift.transport.TSaslClientTransport;
 import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TSocket;
 import org.apache.thrift.transport.TTransport;
 import org.apache.thrift.transport.TTransportException;
 import org.apache.thrift.transport.TTransportFactory;
@@ -419,27 +425,78 @@ import org.apache.thrift.transport.TTran
      }
 
      @Override
-     public String getDelegationToken(String renewer) throws IOException {
-       return secretManager.getDelegationToken(renewer);
+     public String getDelegationToken(final String owner, final String renewer) 
+     throws IOException, InterruptedException {
+       if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) {
+         throw new AuthorizationException(
+         "Delegation Token can be issued only with kerberos authentication");
+       }
+       //if the user asking the token is same as the 'owner' then don't do
+       //any proxy authorization checks. For cases like oozie, where it gets
+       //a delegation token for another user, we need to make sure oozie is
+       //authorized to get a delegation token.
+       //Do all checks on short names
+       UserGroupInformation currUser = UserGroupInformation.getCurrentUser();
+       UserGroupInformation ownerUgi = UserGroupInformation.createRemoteUser(owner);
+       if (!ownerUgi.getShortUserName().equals(currUser.getShortUserName())) {
+         //in the case of proxy users, the getCurrentUser will return the 
+         //real user (for e.g. oozie) due to the doAs that happened just before the 
+         //server started executing the method getDelegationToken in the MetaStore
+         ownerUgi = UserGroupInformation.createProxyUser(owner,
+           UserGroupInformation.getCurrentUser());
+         InetAddress remoteAddr = getRemoteAddress();
+         //A hack (127.0.1.1 is used as the remote address in case remoteAddr is null)
+         //to make a testcase TestHadoop20SAuthBridge.testMetastoreProxyUser
+         //pass. Once we have updated hive to have a thrift release with
+         //THIFT-1053 in, we can remove the check for remoteAddr being null, and this
+         //hack
+         ProxyUsers.authorize(ownerUgi, 
+              remoteAddr != null ? remoteAddr.getHostAddress() : "127.0.1.1", 
+              null);
+       }
+       return ownerUgi.doAs(new PrivilegedExceptionAction<String>() {
+         public String run() throws IOException {
+           return secretManager.getDelegationToken(renewer);
+         }
+       }); 
      }
 
      @Override
      public long renewDelegationToken(String tokenStrForm) throws IOException {
+       if (!authenticationMethod.get().equals(AuthenticationMethod.KERBEROS)) {
+         throw new AuthorizationException(
+         "Delegation Token can be issued only with kerberos authentication");
+       }
        return secretManager.renewDelegationToken(tokenStrForm);
      }
 
      @Override
-     public String getDelegationToken(String renewer, String token_signature)
-     throws IOException {
-       return secretManager.getDelegationToken(renewer, token_signature);
-     }
-
-     @Override
      public void cancelDelegationToken(String tokenStrForm) throws IOException {
        secretManager.cancelDelegationToken(tokenStrForm);
      }
 
-
+     private final static ThreadLocal<InetAddress> remoteAddress =
+       new ThreadLocal<InetAddress>() {
+       @Override
+       protected synchronized InetAddress initialValue() {
+         return null;
+       }
+     };
+     
+     @Override
+     public InetAddress getRemoteAddress() {
+       return remoteAddress.get();
+     }
+     
+     //declare the field public so that testcases can set it to an explicit value
+     public final static ThreadLocal<AuthenticationMethod> authenticationMethod =
+       new ThreadLocal<AuthenticationMethod>() {
+       @Override
+       protected synchronized AuthenticationMethod initialValue() {
+         return AuthenticationMethod.TOKEN;
+       }
+     };
+     
     /** CallbackHandler for SASL DIGEST-MD5 mechanism */
     // This code is pretty much completely based on Hadoop's
     // SaslRpcServer.SaslDigestCallbackHandler - the only reason we could not
@@ -537,6 +594,7 @@ import org.apache.thrift.transport.TTran
          TSaslServerTransport saslTrans = (TSaslServerTransport)trans;
          SaslServer saslServer = saslTrans.getSaslServer();
          String authId = saslServer.getAuthorizationID();
+         authenticationMethod.set(AuthenticationMethod.KERBEROS);
          LOG.debug("AUTH ID ======>" + authId);
          String endUser = authId;
 
@@ -545,10 +603,15 @@ import org.apache.thrift.transport.TTran
              TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authId,
                  secretManager);
              endUser = tokenId.getUser().getUserName();
+             authenticationMethod.set(AuthenticationMethod.TOKEN);
            } catch (InvalidToken e) {
              throw new TException(e.getMessage());
            }
          }
+         if (TSocket.class.isAssignableFrom(inProt.getTransport().getClass())) {
+           Socket socket = ((TSocket)inProt.getTransport()).getSocket();
+           remoteAddress.set(socket.getInetAddress());
+         }
          try {
            UserGroupInformation clientUgi = UserGroupInformation.createProxyUser(
               endUser, UserGroupInformation.getLoginUser());

Modified: hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
URL: http://svn.apache.org/viewvc/hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java (original)
+++ hive/trunk/shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java Wed Apr  6 10:49:36 2011
@@ -19,6 +19,7 @@
  package org.apache.hadoop.hive.thrift;
 
  import java.io.IOException;
+import java.net.InetAddress;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.thrift.TProcessor;
@@ -66,10 +67,11 @@ import org.apache.thrift.transport.TTran
    public static abstract class Server {
      public abstract TTransportFactory createTransportFactory() throws TTransportException;
      public abstract TProcessor wrapProcessor(TProcessor processor);
+     public abstract InetAddress getRemoteAddress();
      public abstract void startDelegationTokenSecretManager(Configuration conf) throws IOException;
-     public abstract String getDelegationToken(String renewer) throws IOException;
+     public abstract String getDelegationToken(String owner, String renewer) 
+     throws IOException, InterruptedException;
      public abstract long renewDelegationToken(String tokenStrForm) throws IOException;
-     public abstract String getDelegationToken(String renewer, String token_signature) throws IOException;
      public abstract void cancelDelegationToken(String tokenStrForm) throws IOException;
    }
  }

Modified: hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
URL: http://svn.apache.org/viewvc/hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java?rev=1089396&r1=1089395&r2=1089396&view=diff
==============================================================================
--- hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java (original)
+++ hive/trunk/shims/src/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java Wed Apr  6 10:49:36 2011
@@ -18,22 +18,36 @@
 
 package org.apache.hadoop.hive.thrift;
 
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.net.NetworkInterface;
 import java.net.Socket;
 import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Enumeration;
 
 import junit.framework.TestCase;
 
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.HiveMetaStore;
 import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
 import org.apache.hadoop.hive.metastore.api.Database;
 import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.util.StringUtils;
 import org.apache.thrift.transport.TSaslServerTransport;
 import org.apache.thrift.transport.TTransportException;
 import org.apache.thrift.transport.TTransportFactory;
@@ -66,12 +80,35 @@ public class TestHadoop20SAuthBridge ext
       }
     }
   }
-  private static final int port = 10000;
+  
 
-  private final HiveConf conf;
-
-  public TestHadoop20SAuthBridge(String name) {
-    super(name);
+  private HiveConf conf;
+  
+  private void configureSuperUserIPAddresses(Configuration conf,
+      String superUserShortName) throws IOException {
+    ArrayList<String> ipList = new ArrayList<String>();
+    Enumeration<NetworkInterface> netInterfaceList = NetworkInterface
+        .getNetworkInterfaces();
+    while (netInterfaceList.hasMoreElements()) {
+      NetworkInterface inf = netInterfaceList.nextElement();
+      Enumeration<InetAddress> addrList = inf.getInetAddresses();
+      while (addrList.hasMoreElements()) {
+        InetAddress addr = addrList.nextElement();
+        ipList.add(addr.getHostAddress());
+      }
+    }
+    StringBuilder builder = new StringBuilder();
+    for (String ip : ipList) {
+      builder.append(ip);
+      builder.append(',');
+    }
+    builder.append("127.0.1.1,");
+    builder.append(InetAddress.getLocalHost().getCanonicalHostName());
+    conf.setStrings(ProxyUsers.getProxySuperuserIpConfKey(superUserShortName),
+        builder.toString());
+  }
+  
+  public void setup(final int port) throws Exception {
     System.setProperty(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname,
         "true");
     System.setProperty(HiveConf.ConfVars.METASTOREURIS.varname,
@@ -80,10 +117,6 @@ public class TestHadoop20SAuthBridge ext
         System.getProperty("test.build.data", "/tmp")).toString());
     conf = new HiveConf(TestHadoop20SAuthBridge.class);
     conf.setBoolean("hive.metastore.local", false);
-  }
-
-  public void testSaslWithHiveMetaStore() throws Exception {
-
     Thread thread = new Thread(new Runnable() {
       public void run() {
         try {
@@ -95,30 +128,117 @@ public class TestHadoop20SAuthBridge ext
     });
     thread.setDaemon(true);
     thread.start();
-    loopUntilHMSReady();
+    loopUntilHMSReady(port);
+  }
+
+  public void testSaslWithHiveMetaStore() throws Exception {
+    setup(10000);
     UserGroupInformation clientUgi = UserGroupInformation.getCurrentUser();
     obtainTokenAndAddIntoUGI(clientUgi, null);
     obtainTokenAndAddIntoUGI(clientUgi, "tokenForFooTablePartition");
   }
-
-  private void obtainTokenAndAddIntoUGI(UserGroupInformation clientUgi,
-      String tokenSig) throws Exception {
+  
+  public void testMetastoreProxyUser() throws Exception {
+    setup(10010);
+    
+    final String proxyUserName = "proxyUser";
+    //set the configuration up such that proxyUser can act on 
+    //behalf of all users belonging to the group foo_bar_group (
+    //a dummy group)
+    String[] groupNames =
+      new String[] { "foo_bar_group" };
+    setGroupsInConf(groupNames, proxyUserName);
+    
+    final UserGroupInformation delegationTokenUser = 
+      UserGroupInformation.getCurrentUser();
+        
+    final UserGroupInformation proxyUserUgi = 
+      UserGroupInformation.createRemoteUser(proxyUserName);
+    String tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {
+      public String run() throws Exception {
+        try {
+          //Since the user running the test won't belong to a non-existent group
+          //foo_bar_group, the call to getDelegationTokenStr will fail
+          return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
+        } catch (AuthorizationException ae) {
+          return null;
+        }
+      }
+    });
+    assertTrue("Expected the getDelegationToken call to fail", 
+        tokenStrForm == null);
+    
+    //set the configuration up such that proxyUser can act on 
+    //behalf of all users belonging to the real group(s) that the 
+    //user running the test belongs to
+    setGroupsInConf(UserGroupInformation.getCurrentUser().getGroupNames(),
+        proxyUserName);
+    tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {
+      public String run() throws Exception {
+        try {
+          //Since the user running the test belongs to the group
+          //obtained above the call to getDelegationTokenStr will succeed
+          return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
+        } catch (AuthorizationException ae) {
+          return null;
+        }
+      }
+    });
+    assertTrue("Expected the getDelegationToken call to not fail", 
+        tokenStrForm != null);
+    Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
+    t.decodeFromUrlString(tokenStrForm);
+    //check whether the username in the token is what we expect
+    DelegationTokenIdentifier d = new DelegationTokenIdentifier();
+    d.readFields(new DataInputStream(new ByteArrayInputStream(
+        t.getIdentifier())));
+    assertTrue("Usernames don't match", 
+        delegationTokenUser.getShortUserName().equals(d.getUser().getShortUserName()));
+    
+  }
+  
+  private void setGroupsInConf(String[] groupNames, String proxyUserName) 
+  throws IOException {
+   conf.set(
+      ProxyUsers.getProxySuperuserGroupConfKey(proxyUserName),
+      StringUtils.join(",", Arrays.asList(groupNames)));
+    configureSuperUserIPAddresses(conf, proxyUserName);
+    ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+  }
+  
+  private String getDelegationTokenStr(UserGroupInformation ownerUgi, 
+      UserGroupInformation realUgi) throws Exception {
     //obtain a token by directly invoking the metastore operation(without going
     //through the thrift interface). Obtaining a token makes the secret manager
     //aware of the user and that it gave the token to the user
-    String tokenStrForm;
-    if (tokenSig == null) {
-      tokenStrForm =
-        HiveMetaStore.getDelegationToken(clientUgi.getShortUserName());
-    } else {
-      tokenStrForm =
-        HiveMetaStore.getDelegationToken(clientUgi.getShortUserName(),
-                                         tokenSig);
-      conf.set("hive.metastore.token.signature", tokenSig);
-    }
+    //also set the authentication method explicitly to KERBEROS. Since the 
+    //metastore checks whether the authentication method is KERBEROS or not
+    //for getDelegationToken, and the testcases don't use 
+    //kerberos, this needs to be done
+    HadoopThriftAuthBridge20S.Server.authenticationMethod
+                             .set(AuthenticationMethod.KERBEROS);
+    return
+        HiveMetaStore.getDelegationToken(ownerUgi.getShortUserName(), 
+            realUgi.getShortUserName());
+  }
 
+  private void obtainTokenAndAddIntoUGI(UserGroupInformation clientUgi,
+      String tokenSig) throws Exception {
+    String tokenStrForm = getDelegationTokenStr(clientUgi, clientUgi);
     Token<DelegationTokenIdentifier> t= new Token<DelegationTokenIdentifier>();
     t.decodeFromUrlString(tokenStrForm);
+    
+    //check whether the username in the token is what we expect
+    DelegationTokenIdentifier d = new DelegationTokenIdentifier();
+    d.readFields(new DataInputStream(new ByteArrayInputStream(
+        t.getIdentifier())));
+    assertTrue("Usernames don't match", 
+        clientUgi.getShortUserName().equals(d.getUser().getShortUserName()));
+    
+    if (tokenSig != null) {
+      conf.set("hive.metastore.token.signature", tokenSig);
+      t.setService(new Text(tokenSig));
+    }
     //add the token to the clientUgi for securely talking to the metastore
     clientUgi.addToken(t);
     //Create the metastore client as the clientUgi. Doing so this
@@ -137,6 +257,16 @@ public class TestHadoop20SAuthBridge ext
 
     //try out some metastore operations
     createDBAndVerifyExistence(hiveClient);
+    
+    //check that getDelegationToken fails since we are not authenticating
+    //over kerberos
+    boolean pass = false;
+    try {
+      hiveClient.getDelegationToken(clientUgi.getUserName());
+    } catch (MetaException ex) {
+      pass = true;
+    }
+    assertTrue("Expected the getDelegationToken call to fail", pass == true);
     hiveClient.close();
 
     //Now cancel the delegation token
@@ -162,7 +292,7 @@ public class TestHadoop20SAuthBridge ext
    * A simple connect test to make sure that the metastore is up
    * @throws Exception
    */
-  private void loopUntilHMSReady() throws Exception {
+  private void loopUntilHMSReady(int port) throws Exception {
     int retries = 0;
     Exception exc = null;
     while (true) {



Mime
View raw message