Mailing-List: contact commits-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hive-dev@hive.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: ctang@apache.org
To: commits@hive.apache.org
Message-Id: <22d121e8243942ddb7c77ffe3456c807@git.apache.org>
Subject: hive git commit: HIVE-13401: Kerberized HS2 with LDAP auth enabled
 fails kerberos/delegation token authentication (Chaoyu Tang,
 reviewed by Szehon Ho)
Date: Wed,  6 Apr 2016 12:58:35 +0000 (UTC)

Repository: hive
Updated Branches:
  refs/heads/branch-2.0 c00fcc389 -> 9ca30cf14


HIVE-13401: Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication (Chaoyu Tang, reviewed by Szehon Ho)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/9ca30cf1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/9ca30cf1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/9ca30cf1

Branch: refs/heads/branch-2.0
Commit: 9ca30cf14044e0442434a9d664af196e02da59ad
Parents: c00fcc3
Author: ctang <ctang@cloudera.com>
Authored: Wed Apr 6 08:58:20 2016 -0400
Committer: ctang <ctang@cloudera.com>
Committed: Wed Apr 6 08:58:20 2016 -0400

----------------------------------------------------------------------
 .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java  | 103 +++++++++++++++++++
 1 file changed, 103 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/9ca30cf1/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
new file mode 100644
index 0000000..1c1beda
--- /dev/null
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
@@ -0,0 +1,103 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.minikdc;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.sql.DriverManager;
+import java.sql.SQLException;
+
+import javax.security.sasl.AuthenticationException;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.apache.hive.service.auth.PasswdAuthenticationProvider;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
+
+  public static class CustomAuthenticator implements PasswdAuthenticationProvider {
+    @Override
+    public void Authenticate(String user, String password) throws AuthenticationException {
+      if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
+        throw new AuthenticationException("Authentication failed");
+      }
+    }
+  }
+
+  @BeforeClass
+  public static void beforeTest() throws Exception {
+    Class.forName(MiniHS2.getJdbcDriverName());
+    confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
+        SessionHookTest.class.getName());
+    confOverlay.put(ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
+        CustomAuthenticator.class.getName());
+    HiveConf hiveConf = new HiveConf();
+    miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
+    miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf, "CUSTOM");
+    miniHS2.start(confOverlay);
+  }
+
+  /***
+   * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
+   * @throws Exception
+   */
+  @Test
+  public void testNonKrbSASLAuth() throws Exception {
+    hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
+    verifyProperty(SESSION_USER_NAME, "nonkrbuser");
+    hs2Conn.close();
+  }
+
+  /***
+   * Negative test, verify that connection to secure HS2 fails if it is noSasl
+   * @throws Exception
+   */
+  @Test
+  public void testNoSaslConnectionNeg() throws Exception {
+    try {
+      String url = miniHS2.getBaseJdbcURL() + "default;auth=noSasl";
+      hs2Conn = DriverManager.getConnection(url);
+      fail("noSasl connection should fail");
+    } catch (SQLException e) {
+      // expected error
+      assertEquals("08S01", e.getSQLState().trim());
+    }
+  }
+
+  /***
+   * Negative test, verify that NonKrb connection to secure HS2 fails if it is
+   * user/pwd do not match.
+   * @throws Exception
+   */
+  @Test
+  public void testNoKrbConnectionNeg() throws Exception {
+    try {
+      String url = miniHS2.getBaseJdbcURL() + "default;user=wronguser;pwd=mypwd";
+      hs2Conn = DriverManager.getConnection(url);
+      fail("noSasl connection should fail");
+    } catch (SQLException e) {
+      // expected error
+      assertEquals("08S01", e.getSQLState().trim());
+    }
+  }
+}
\ No newline at end of file