hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ct...@apache.org
Subject hive git commit: HIVE-13590: Kerberized HS2 with LDAP auth enabled fails in multi-domain LDAP case (Chaoyu Tang, reviewed by Szehon Ho, Sergio Pena)
Date Tue, 21 Jun 2016 00:35:11 GMT
Repository: hive
Updated Branches:
  refs/heads/master ec0921bf7 -> 7cdf624c7


HIVE-13590: Kerberized HS2 with LDAP auth enabled fails in multi-domain LDAP case (Chaoyu
Tang, reviewed by Szehon Ho, Sergio Pena)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/7cdf624c
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/7cdf624c
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/7cdf624c

Branch: refs/heads/master
Commit: 7cdf624c7f341e2a063a48a2b027a8fec7804c65
Parents: ec0921b
Author: ctang <ctang@cloudera.com>
Authored: Mon Jun 20 20:34:54 2016 -0400
Committer: ctang <ctang@cloudera.com>
Committed: Mon Jun 20 20:34:54 2016 -0400

----------------------------------------------------------------------
 .../minikdc/TestJdbcNonKrbSASLWithMiniKdc.java  | 51 ++++++++++++++++++--
 .../hive/service/auth/HiveAuthFactory.java      | 10 ++++
 .../service/cli/thrift/ThriftCLIService.java    | 21 ++++++--
 .../hive/thrift/HadoopThriftAuthBridge.java     | 29 +++++++++--
 4 files changed, 99 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/7cdf624c/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
index 1c1beda..f0e1fb2 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcNonKrbSASLWithMiniKdc.java
@@ -19,6 +19,7 @@
 package org.apache.hive.minikdc;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 import java.sql.DriverManager;
@@ -28,17 +29,22 @@ import javax.security.sasl.AuthenticationException;
 
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.jdbc.HiveConnection;
 import org.apache.hive.jdbc.miniHS2.MiniHS2;
 import org.apache.hive.service.auth.PasswdAuthenticationProvider;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
 public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
+  public static final String SASL_NONKRB_USER1 = "nonkrbuser";
+  public static final String SASL_NONKRB_USER2 = "nonkrbuser@realm.com";
+  public static final String SASL_NONKRB_PWD = "mypwd";
 
   public static class CustomAuthenticator implements PasswdAuthenticationProvider {
     @Override
     public void Authenticate(String user, String password) throws AuthenticationException
{
-      if (!("nonkrbuser".equals(user) && "mypwd".equals(password))) {
+      if (!(SASL_NONKRB_USER1.equals(user) && SASL_NONKRB_PWD.equals(password)) &&
+          !(SASL_NONKRB_USER2.equals(user) && SASL_NONKRB_PWD.equals(password)))
{
         throw new AuthenticationException("Authentication failed");
       }
     }
@@ -63,8 +69,21 @@ public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
    */
   @Test
   public void testNonKrbSASLAuth() throws Exception {
-    hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL() + "default;user=nonkrbuser;password=mypwd");
-    verifyProperty(SESSION_USER_NAME, "nonkrbuser");
+    hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL()
+        + "default;user=" + SASL_NONKRB_USER1 + ";password=" + SASL_NONKRB_PWD);
+    verifyProperty(SESSION_USER_NAME, SASL_NONKRB_USER1);
+    hs2Conn.close();
+  }
+
+  /***
+   * Test a nonkrb user could login the kerberized HS2 with authentication type SASL NONE
+   * @throws Exception
+   */
+  @Test
+  public void testNonKrbSASLFullNameAuth() throws Exception {
+    hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL()
+        + "default;user=" + SASL_NONKRB_USER2 + ";password=" + SASL_NONKRB_PWD);
+    verifyProperty(SESSION_USER_NAME, SASL_NONKRB_USER1);
     hs2Conn.close();
   }
 
@@ -100,4 +119,30 @@ public class TestJdbcNonKrbSASLWithMiniKdc extends TestJdbcWithMiniKdc{
       assertEquals("08S01", e.getSQLState().trim());
     }
   }
+
+  /***
+   * Negative test for token based authentication
+   * Verify that token is not applicable to non-Kerberos SASL user
+   * @throws Exception
+   */
+  @Test
+  public void testNoKrbSASLTokenAuthNeg() throws Exception {
+    hs2Conn = DriverManager.getConnection(miniHS2.getBaseJdbcURL()
+        + "default;user=" + SASL_NONKRB_USER1 + ";password=" + SASL_NONKRB_PWD);
+    verifyProperty(SESSION_USER_NAME, SASL_NONKRB_USER1);
+
+    try {
+      // retrieve token and store in the cache
+      String token = ((HiveConnection)hs2Conn).getDelegationToken(
+          MiniHiveKdc.HIVE_TEST_USER_1, MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+
+      fail(SASL_NONKRB_USER1 + " shouldn't be allowed to retrieve token for " +
+          MiniHiveKdc.HIVE_TEST_USER_2);
+    } catch (SQLException e) {
+      // Expected error
+      assertTrue(e.getMessage().contains("Delegation token only supported over remote client
with kerberos authentication"));
+    } finally {
+      hs2Conn.close();
+    }
+  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/hive/blob/7cdf624c/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
index ab8806c..168ba35 100644
--- a/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -47,6 +47,7 @@ import org.apache.hadoop.hive.thrift.DBTokenStore;
 import org.apache.hadoop.hive.thrift.HiveDelegationTokenManager;
 import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge;
 import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.Server.ServerMode;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.ProxyUsers;
@@ -226,11 +227,20 @@ public class HiveAuthFactory {
     }
   }
 
+  public String getUserAuthMechanism() {
+    return saslServer == null ? null : saslServer.getUserAuthMechanism();
+  }
+
   public boolean isSASLWithKerberizedHadoop() {
     return "kerberos".equalsIgnoreCase(hadoopAuth)
         && !authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName());
   }
 
+  public boolean isSASLKerberosUser() {
+    return AuthMethod.KERBEROS.getMechanismName().equals(getUserAuthMechanism())
+            || AuthMethod.TOKEN.getMechanismName().equals(getUserAuthMechanism());
+  }
+
   // Perform kerberos login using the hadoop shim API if the configuration is available
   public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
     String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);

http://git-wip-us.apache.org/repos/asf/hive/blob/7cdf624c/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
index 8bc3d94..0c1114a 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
@@ -33,10 +33,13 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.common.ServerUtils;
 import org.apache.hadoop.hive.shims.HadoopShims.KerberosNameShim;
 import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.hive.service.AbstractService;
 import org.apache.hive.service.ServiceException;
+import org.apache.hive.service.ServiceUtils;
 import org.apache.hive.service.auth.HiveAuthFactory;
 import org.apache.hive.service.auth.TSetIpAddressProcessor;
+import org.apache.hive.service.auth.HiveAuthFactory.AuthTypes;
 import org.apache.hive.service.cli.CLIService;
 import org.apache.hive.service.cli.FetchOrientation;
 import org.apache.hive.service.cli.FetchType;
@@ -237,7 +240,7 @@ public abstract class ThriftCLIService extends AbstractService implements
TCLISe
       throws TException {
     TGetDelegationTokenResp resp = new TGetDelegationTokenResp();
 
-    if (hiveAuthFactory == null) {
+    if (hiveAuthFactory == null || !hiveAuthFactory.isSASLKerberosUser()) {
       resp.setStatus(unsecureTokenErrorStatus());
     } else {
       try {
@@ -261,7 +264,7 @@ public abstract class ThriftCLIService extends AbstractService implements
TCLISe
       throws TException {
     TCancelDelegationTokenResp resp = new TCancelDelegationTokenResp();
 
-    if (hiveAuthFactory == null) {
+    if (hiveAuthFactory == null || !hiveAuthFactory.isSASLKerberosUser()) {
       resp.setStatus(unsecureTokenErrorStatus());
     } else {
       try {
@@ -280,7 +283,7 @@ public abstract class ThriftCLIService extends AbstractService implements
TCLISe
   public TRenewDelegationTokenResp RenewDelegationToken(TRenewDelegationTokenReq req)
       throws TException {
     TRenewDelegationTokenResp resp = new TRenewDelegationTokenResp();
-    if (hiveAuthFactory == null) {
+    if (hiveAuthFactory == null || !hiveAuthFactory.isSASLKerberosUser()) {
       resp.setStatus(unsecureTokenErrorStatus());
     } else {
       try {
@@ -358,6 +361,7 @@ public abstract class ThriftCLIService extends AbstractService implements
TCLISe
    */
   private String getUserName(TOpenSessionReq req) throws HiveSQLException, IOException {
     String userName = null;
+
     if (hiveAuthFactory != null && hiveAuthFactory.isSASLWithKerberizedHadoop())
{
       userName = hiveAuthFactory.getRemoteUser();
     }
@@ -385,8 +389,15 @@ public abstract class ThriftCLIService extends AbstractService implements
TCLISe
     String ret = null;
 
     if (userName != null) {
-      KerberosNameShim fullKerberosName = ShimLoader.getHadoopShims().getKerberosNameShim(userName);
-      ret = fullKerberosName.getShortName();
+      if (hiveAuthFactory != null && hiveAuthFactory.isSASLKerberosUser()) {
+        // KerberosName.getShorName can only be used for kerberos user, but not for the user
+        // logged in via other authentications such as LDAP
+        KerberosNameShim fullKerberosName = ShimLoader.getHadoopShims().getKerberosNameShim(userName);
+        ret = fullKerberosName.getShortName();
+      } else {
+        int indexOfDomainMatch = ServiceUtils.indexOfDomainMatch(userName);
+        ret = (indexOfDomainMatch <= 0) ? userName : userName.substring(0, indexOfDomainMatch);
+      }
     }
 
     return ret;

http://git-wip-us.apache.org/repos/asf/hive/blob/7cdf624c/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
----------------------------------------------------------------------
diff --git a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
index 8a4786c..86eb46d 100644
--- a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
+++ b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
@@ -433,6 +433,18 @@ public abstract class HadoopThriftAuthBridge {
       return remoteUser.get();
     }
 
+    private final static ThreadLocal<String> userAuthMechanism =
+        new ThreadLocal<String>() {
+
+      @Override
+      protected String initialValue() {
+        return AuthMethod.KERBEROS.getMechanismName();
+      }
+    };
+
+    public String getUserAuthMechanism() {
+      return userAuthMechanism.get();
+    }
     /** CallbackHandler for SASL DIGEST-MD5 mechanism */
     // This code is pretty much completely based on Hadoop's
     // SaslRpcServer.SaslDigestCallbackHandler - the only reason we could not
@@ -536,11 +548,21 @@ public abstract class HadoopThriftAuthBridge {
         TSaslServerTransport saslTrans = (TSaslServerTransport)trans;
         SaslServer saslServer = saslTrans.getSaslServer();
         String authId = saslServer.getAuthorizationID();
-        authenticationMethod.set(AuthenticationMethod.KERBEROS);
         LOG.debug("AUTH ID ======>" + authId);
         String endUser = authId;
 
-        if(saslServer.getMechanismName().equals("DIGEST-MD5")) {
+        Socket socket = ((TSocket)(saslTrans.getUnderlyingTransport())).getSocket();
+        remoteAddress.set(socket.getInetAddress());
+
+        String mechanismName = saslServer.getMechanismName();
+        userAuthMechanism.set(mechanismName);
+        if (AuthMethod.PLAIN.getMechanismName().equalsIgnoreCase(mechanismName)) {
+          remoteUser.set(endUser);
+          return wrapped.process(inProt, outProt);
+        }
+
+        authenticationMethod.set(AuthenticationMethod.KERBEROS);
+        if(AuthMethod.TOKEN.getMechanismName().equalsIgnoreCase(mechanismName)) {
           try {
             TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authId,
                 secretManager);
@@ -550,8 +572,7 @@ public abstract class HadoopThriftAuthBridge {
             throw new TException(e.getMessage());
           }
         }
-        Socket socket = ((TSocket)(saslTrans.getUnderlyingTransport())).getSocket();
-        remoteAddress.set(socket.getInetAddress());
+
         UserGroupInformation clientUgi = null;
         try {
           if (useProxy) {


Mime
View raw message