Return-Path: X-Original-To: apmail-hive-commits-archive@www.apache.org Delivered-To: apmail-hive-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 23DA61083D for ; Sat, 22 Nov 2014 19:09:21 +0000 (UTC) Received: (qmail 14585 invoked by uid 500); 22 Nov 2014 19:09:21 -0000 Delivered-To: apmail-hive-commits-archive@hive.apache.org Received: (qmail 14544 invoked by uid 500); 22 Nov 2014 19:09:21 -0000 Mailing-List: contact commits-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hive-dev@hive.apache.org Delivered-To: mailing list commits@hive.apache.org Received: (qmail 14533 invoked by uid 99); 22 Nov 2014 19:09:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 22 Nov 2014 19:09:20 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 22 Nov 2014 19:08:56 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 78A1123888D7; Sat, 22 Nov 2014 19:08:55 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1641102 - in /hive/trunk/service/src/java/org/apache/hive/service: ServiceUtils.java auth/LdapAuthenticationProviderImpl.java cli/thrift/ThriftCLIService.java Date: Sat, 22 Nov 2014 19:08:55 -0000 To: commits@hive.apache.org From: brock@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20141122190855.78A1123888D7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: brock Date: Sat Nov 22 19:08:54 2014 New Revision: 1641102 URL: http://svn.apache.org/r1641102 Log: HIVE-8916 - Handle user@domain username under LDAP authentication (Mohit Sabharwal via Brock) Added: hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Added: hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java?rev=1641102&view=auto ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java (added) +++ hive/trunk/service/src/java/org/apache/hive/service/ServiceUtils.java Sat Nov 22 19:08:54 2014 @@ -0,0 +1,44 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hive.service; + +public class ServiceUtils { + + /* + * Get the index separating the user name from domain name (the user's name up + * to the first '/' or '@'). + * + * @param userName full user name. + * @return index of domain match or -1 if not found + */ + public static int indexOfDomainMatch(String userName) { + if (userName == null) { + return -1; + } + + int idx = userName.indexOf('/'); + int idx2 = userName.indexOf('@'); + int endIdx = Math.min(idx, idx2); // Use the earlier match. + // Unless at least one of '/' or '@' was not found, in + // which case, user the latter match. + if (endIdx == -1) { + endIdx = Math.max(idx, idx2); + } + return endIdx; + } +} \ No newline at end of file Modified: hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java?rev=1641102&r1=1641101&r2=1641102&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java Sat Nov 22 19:08:54 2014 @@ -24,6 +24,7 @@ import javax.naming.directory.InitialDir import javax.security.sasl.AuthenticationException; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hive.service.ServiceUtils; public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvider { @@ -45,10 +46,11 @@ public class LdapAuthenticationProviderI env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, ldapURL); - // If the domain is supplied, then append it. LDAP providers like Active Directory - // use a fully qualified user name like foo@bar.com. - if (ldapDomain != null) { - user = user + "@" + ldapDomain; + // If the domain is available in the config, then append it unless domain is + // already part of the username. LDAP providers like Active Directory use a + // fully qualified user name like foo@bar.com. + if (!hasDomain(user) && ldapDomain != null) { + user = user + "@" + ldapDomain; } // setup the security principal @@ -71,4 +73,7 @@ public class LdapAuthenticationProviderI } } + private boolean hasDomain(String userName) { + return (ServiceUtils.indexOfDomainMatch(userName) > 0); + } } Modified: hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java URL: http://svn.apache.org/viewvc/hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java?rev=1641102&r1=1641101&r2=1641102&view=diff ============================================================================== --- hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java (original) +++ hive/trunk/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java Sat Nov 22 19:08:54 2014 @@ -33,6 +33,7 @@ import org.apache.hadoop.hive.conf.HiveC import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hive.service.AbstractService; import org.apache.hive.service.ServiceException; +import org.apache.hive.service.ServiceUtils; import org.apache.hive.service.auth.HiveAuthFactory; import org.apache.hive.service.auth.TSetIpAddressProcessor; import org.apache.hive.service.cli.*; @@ -295,11 +296,24 @@ public abstract class ThriftCLIService e if (userName == null) { userName = req.getUsername(); } + + userName = getShortName(userName); String effectiveClientUser = getProxyUser(userName, req.getConfiguration(), getIpAddress()); LOG.debug("Client's username: " + effectiveClientUser); return effectiveClientUser; } + private String getShortName(String userName) { + String ret = null; + if (userName != null) { + int indexOfDomainMatch = ServiceUtils.indexOfDomainMatch(userName); + ret = (indexOfDomainMatch <= 0) ? userName : + userName.substring(0, indexOfDomainMatch); + } + + return ret; + } + /** * Create a session handle * @param req