Mailing-List: contact commits-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hive-dev@hive.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1583087 -
 /hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java
Date: Sun, 30 Mar 2014 00:35:49 -0000
To: commits@hive.apache.org
From: thejas@apache.org
Message-Id: <20140330003550.0A1802388860@eris.apache.org>

Author: thejas
Date: Sun Mar 30 00:35:49 2014
New Revision: 1583087

URL: http://svn.apache.org/r1583087
Log:
HIVE-6763 : HiveServer2 in http mode might send same kerberos client ticket in case of concurrent requests resulting in server throwing a replay exception (Vaibhav Gumashta via Thejas Nair)

Modified:
    hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java

Modified: hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java?rev=1583087&r1=1583086&r2=1583087&view=diff
==============================================================================
--- hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java (original)
+++ hive/branches/branch-0.13/jdbc/src/java/org/apache/hive/jdbc/HttpKerberosRequestInterceptor.java Sun Mar 30 00:35:49 2014
@@ -1,24 +1,25 @@
 /**
-* Licensed to the Apache Software Foundation (ASF) under one
-* or more contributor license agreements.  See the NOTICE file
-* distributed with this work for additional information
-* regarding copyright ownership.  The ASF licenses this file
-* to you under the Apache License, Version 2.0 (the
-* "License"); you may not use this file except in compliance
-* with the License.  You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 package org.apache.hive.jdbc;
 
 import java.io.IOException;
+import java.util.concurrent.locks.ReentrantLock;
 
 import org.apache.hive.service.auth.HttpAuthUtils;
 import org.apache.http.HttpException;
@@ -27,39 +28,46 @@ import org.apache.http.HttpRequestInterc
 import org.apache.http.protocol.HttpContext;
 
 /**
-*
-* Authentication interceptor which adds Base64 encoded payload,
-* containing the username and kerberos service ticket,
-* to the outgoing http request header.
-*
-*/
+ *
+ * Authentication interceptor which adds Base64 encoded payload,
+ * containing the username and kerberos service ticket,
+ * to the outgoing http request header.
+ *
+ */
 public class HttpKerberosRequestInterceptor implements HttpRequestInterceptor {
 
-String principal;
-String host;
-String serverHttpUrl;
-
-public HttpKerberosRequestInterceptor(String principal, String host,
-    String serverHttpUrl) {
-  this.principal = principal;
-  this.host = host;
-  this.serverHttpUrl = serverHttpUrl;
-}
-
-@Override
-public void process(HttpRequest httpRequest, HttpContext httpContext)
-    throws HttpException, IOException {
-  String kerberosAuthHeader;
-  try {
-    // Generate the service ticket for sending to the server.
-    kerberosAuthHeader = HttpAuthUtils.getKerberosServiceTicket(
-        principal, host, serverHttpUrl);
-    // Set the session key token (Base64 encoded) in the headers
-    httpRequest.addHeader(HttpAuthUtils.AUTHORIZATION + ": " +
-        HttpAuthUtils.NEGOTIATE + " ", kerberosAuthHeader);
-  } catch (Exception e) {
-    throw new HttpException(e.getMessage(), e);
+  String principal;
+  String host;
+  String serverHttpUrl;
+
+  // A fair reentrant lock
+  private static ReentrantLock kerberosLock = new ReentrantLock(true);
+
+  public HttpKerberosRequestInterceptor(String principal, String host,
+      String serverHttpUrl) {
+    this.principal = principal;
+    this.host = host;
+    this.serverHttpUrl = serverHttpUrl;
   }
-}
 
+  @Override
+  public void process(HttpRequest httpRequest, HttpContext httpContext)
+      throws HttpException, IOException {
+    String kerberosAuthHeader;
+    try {
+      // Generate the service ticket for sending to the server.
+      // Locking ensures the tokens are unique in case of concurrent requests
+      kerberosLock.lock();
+      kerberosAuthHeader = HttpAuthUtils.getKerberosServiceTicket(
+          principal, host, serverHttpUrl);
+      // Set the session key token (Base64 encoded) in the headers
+      httpRequest.addHeader(HttpAuthUtils.AUTHORIZATION + ": " +
+          HttpAuthUtils.NEGOTIATE + " ", kerberosAuthHeader);
+    } catch (Exception e) {
+      throw new HttpException(e.getMessage(), e);
+    }
+    finally {
+      kerberosLock.unlock();
+    }
+  }
 }