Return-Path: <commits-return-21456-archive-asf-public=cust-asf.ponee.io@hive.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 6F52C2009D9
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  2 May 2016 21:03:47 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 6DDE91609B0; Mon,  2 May 2016 21:03:47 +0200 (CEST)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 8EC371602C5
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  2 May 2016 21:03:46 +0200 (CEST)
Received: (qmail 12485 invoked by uid 500); 2 May 2016 19:03:45 -0000
Mailing-List: contact commits-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@hive.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@hive.apache.org>
List-Post: <mailto:commits@hive.apache.org>
List-Id: <commits.hive.apache.org>
Reply-To: hive-dev@hive.apache.org
Delivered-To: mailing list commits@hive.apache.org
Received: (qmail 12474 invoked by uid 99); 2 May 2016 19:03:45 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 May 2016 19:03:45 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 9BD91DFBA8; Mon,  2 May 2016 19:03:45 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sershe@apache.org
To: commits@hive.apache.org
Message-Id: <ae70b68b5ab84ac4bf66f4f59cdbde61@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: hive git commit: HIVE-13446 : LLAP: set default management protocol
 acls to deny all (Sergey Shelukhin, reviewed by Siddharth Seth)
Date: Mon,  2 May 2016 19:03:45 +0000 (UTC)
archived-at: Mon, 02 May 2016 19:03:47 -0000

Repository: hive
Updated Branches:
  refs/heads/master 121d70f1c -> 2abea8e16


HIVE-13446 : LLAP: set default management protocol acls to deny all (Sergey Shelukhin, reviewed by Siddharth Seth)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/2abea8e1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/2abea8e1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/2abea8e1

Branch: refs/heads/master
Commit: 2abea8e16edc2466628934ffa1861066bb0470e8
Parents: 121d70f
Author: Sergey Shelukhin <sershe@apache.org>
Authored: Mon May 2 11:57:34 2016 -0700
Committer: Sergey Shelukhin <sershe@apache.org>
Committed: Mon May 2 11:57:34 2016 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   | 10 ++++
 .../daemon/impl/LlapProtocolServerImpl.java     | 57 ++++++++++++++++----
 2 files changed, 57 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/2abea8e1/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index b13de92..2814353 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -306,6 +306,8 @@ public class HiveConf extends Configuration {
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_ACL.varname);
+    llapDaemonVarsSetLocal.add(ConfVars.LLAP_SECURITY_ACL_DENY.varname);
+    llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_ACL_DENY.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_DELEGATION_TOKEN_LIFETIME.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_MANAGEMENT_RPC_PORT.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_WEB_AUTO_AUTH.varname);
@@ -334,6 +336,7 @@ public class HiveConf extends Configuration {
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_WEB_PORT.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_WEB_SSL.varname);
     llapDaemonVarsSetLocal.add(ConfVars.LLAP_DAEMON_CONTAINER_ID.varname);
+    llapDaemonVarsSetLocal.add(ConfVars.LLAP_VALIDATE_ACLS.varname);
   }
 
   /**
@@ -2660,8 +2663,15 @@ public class HiveConf extends Configuration {
         "ZooKeeper connection string for ZooKeeper SecretManager."),
     // Note: do not rename to ..service.acl; Hadoop generates .hosts setting name from this,
     // resulting in a collision with existing hive.llap.daemon.service.hosts and bizarre errors.
+    // These are read by Hadoop IPC, so you should check the usage and naming conventions (e.g.
+    // ".blocked" is a string hardcoded by Hadoop, and defaults are enforced elsewhere in Hive)
+    // before making changes or copy-pasting these.
     LLAP_SECURITY_ACL("hive.llap.daemon.acl", "*", "The ACL for LLAP daemon."),
+    LLAP_SECURITY_ACL_DENY("hive.llap.daemon.acl.blocked", "", "The deny ACL for LLAP daemon."),
     LLAP_MANAGEMENT_ACL("hive.llap.management.acl", "*", "The ACL for LLAP daemon management."),
+    LLAP_MANAGEMENT_ACL_DENY("hive.llap.management.acl.blocked", "",
+        "The deny ACL for LLAP daemon management."),
+
     // Hadoop DelegationTokenManager default is 1 week.
     LLAP_DELEGATION_TOKEN_LIFETIME("hive.llap.daemon.delegation.token.lifetime", "14d",
          new TimeValidator(TimeUnit.SECONDS),

http://git-wip-us.apache.org/repos/asf/hive/blob/2abea8e1/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
index e99e689..dae1a3a 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.java
@@ -48,6 +48,7 @@ import org.apache.hadoop.ipc.ProtobufRpcEngine;
 import org.apache.hadoop.ipc.RPC;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.hive.llap.security.LlapSecurityHelper;
 import org.apache.hadoop.hive.llap.security.LlapTokenIdentifier;
@@ -69,6 +70,7 @@ public class LlapProtocolServerImpl extends AbstractService
   private RPC.Server server, mngServer;
   private final AtomicReference<InetSocketAddress> srvAddress, mngAddress;
   private SecretManager zkSecretManager;
+  private String restrictedToUser = null;
 
   public LlapProtocolServerImpl(int numHandlers,
                                 ContainerRunner containerRunner,
@@ -128,6 +130,14 @@ public class LlapProtocolServerImpl extends AbstractService
       startProtocolServers(conf, daemonImpl, managementImpl);
       return;
     }
+    if (isPermissiveManagementAcl(conf)) {
+      LOG.warn("Management protocol has a '*' ACL.");
+      try {
+        this.restrictedToUser = UserGroupInformation.getCurrentUser().getShortUserName();
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
     String llapPrincipal = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL),
         llapKeytab = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
     zkSecretManager = SecretManager.createSecretManager(conf, llapPrincipal, llapKeytab);
@@ -148,21 +158,29 @@ public class LlapProtocolServerImpl extends AbstractService
     });
   }
 
+  private static boolean isPermissiveManagementAcl(Configuration conf) {
+    return HiveConf.getBoolVar(conf, ConfVars.LLAP_VALIDATE_ACLS)
+        && AccessControlList.WILDCARD_ACL_VALUE.equals(
+            HiveConf.getVar(conf, ConfVars.LLAP_MANAGEMENT_ACL))
+        && "".equals(HiveConf.getVar(conf, ConfVars.LLAP_MANAGEMENT_ACL_DENY));
+  }
+
   private void startProtocolServers(
       Configuration conf, BlockingService daemonImpl, BlockingService managementImpl) {
     server = startProtocolServer(srvPort, numHandlers, srvAddress, conf, daemonImpl,
-        LlapProtocolBlockingPB.class);
+        LlapProtocolBlockingPB.class, ConfVars.LLAP_SECURITY_ACL, ConfVars.LLAP_SECURITY_ACL_DENY);
     mngServer = startProtocolServer(mngPort, 2, mngAddress, conf, managementImpl,
-        LlapManagementProtocolPB.class);
+        LlapManagementProtocolPB.class, ConfVars.LLAP_MANAGEMENT_ACL,
+        ConfVars.LLAP_MANAGEMENT_ACL_DENY);
   }
 
   private RPC.Server startProtocolServer(int srvPort, int numHandlers,
       AtomicReference<InetSocketAddress> bindAddress, Configuration conf,
-      BlockingService impl, Class<?> protocolClass) {
+      BlockingService impl, Class<?> protocolClass, ConfVars... aclVars) {
     InetSocketAddress addr = new InetSocketAddress(srvPort);
     RPC.Server server;
     try {
-      server = createServer(protocolClass, addr, conf, numHandlers, impl);
+      server = createServer(protocolClass, addr, conf, numHandlers, impl, aclVars);
       server.start();
     } catch (IOException e) {
       LOG.error("Failed to run RPC Server on port: " + srvPort, e);
@@ -198,10 +216,23 @@ public class LlapProtocolServerImpl extends AbstractService
   }
 
   private RPC.Server createServer(Class<?> pbProtocol, InetSocketAddress addr, Configuration conf,
-                                  int numHandlers, BlockingService blockingService) throws
+    int numHandlers, BlockingService blockingService, ConfVars... aclVars) throws
       IOException {
-    RPC.setProtocolEngine(conf, pbProtocol, ProtobufRpcEngine.class);
-    RPC.Builder builder = new RPC.Builder(conf)
+    Configuration serverConf = conf;
+    boolean isSecurityEnabled = conf.getBoolean(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false);
+    if (isSecurityEnabled) {
+      // Enforce Hive defaults.
+      for (ConfVars acl : aclVars) {
+        if (conf.get(acl.varname) != null) continue; // Some value is set.
+        if (serverConf == conf) {
+          serverConf = new Configuration(conf);
+        }
+        serverConf.set(acl.varname, HiveConf.getVar(serverConf, acl)); // Set the default.
+      }
+    }
+    RPC.setProtocolEngine(serverConf, pbProtocol, ProtobufRpcEngine.class);
+    RPC.Builder builder = new RPC.Builder(serverConf)
         .setProtocol(pbProtocol)
         .setInstance(blockingService)
         .setBindAddress(addr.getHostName())
@@ -211,9 +242,8 @@ public class LlapProtocolServerImpl extends AbstractService
       builder = builder.setSecretManager(zkSecretManager);
     }
     RPC.Server server = builder.build();
-
-    if (conf.getBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
-      server.refreshServiceAcl(conf, new LlapDaemonPolicyProvider());
+    if (isSecurityEnabled) {
+      server.refreshServiceAcl(serverConf, new LlapDaemonPolicyProvider());
     }
     return server;
   }
@@ -231,6 +261,13 @@ public class LlapProtocolServerImpl extends AbstractService
     } catch (IOException e) {
       throw new ServiceException(e);
     }
+    if (restrictedToUser != null && !restrictedToUser.equals(ugi.getShortUserName())) {
+      throw new ServiceException("Management protocol ACL is too permissive. The access has been"
+          + " automatically restricted to " + restrictedToUser + "; " + ugi.getShortUserName()
+          + " is denied acccess. Please set " + ConfVars.LLAP_VALIDATE_ACLS.varname + " to false,"
+          + " or adjust " + ConfVars.LLAP_MANAGEMENT_ACL.varname + " and "
+          + ConfVars.LLAP_MANAGEMENT_ACL_DENY.varname + " to a more restrictive ACL.");
+    }
     String user = ugi.getUserName();
     Text owner = new Text(user);
     Text realUser = null;