hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ser...@apache.org
Subject [01/23] hive git commit: HIVE-17659 : get_token thrift call fails for DBTokenStore in remote HMS mode (Vihang Karajgaonkar, reviewed by Aihua Xu)
Date Fri, 13 Oct 2017 00:06:52 GMT
Repository: hive
Updated Branches:
  refs/heads/hive-14535 d7b6272ad -> ba9cd7947


HIVE-17659 : get_token thrift call fails for DBTokenStore in remote HMS mode (Vihang Karajgaonkar,
reviewed by Aihua Xu)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/7463d672
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/7463d672
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/7463d672

Branch: refs/heads/hive-14535
Commit: 7463d672a4bdb34f5a2cad0b788325d761cf1f42
Parents: 857347f
Author: Vihang Karajgaonkar <vihang@cloudera.com>
Authored: Fri Sep 29 17:38:38 2017 -0700
Committer: Vihang Karajgaonkar <vihang@cloudera.com>
Committed: Tue Oct 10 16:20:35 2017 -0700

----------------------------------------------------------------------
 .../hive/minikdc/TestJdbcWithDBTokenStore.java  |  5 ++
 .../minikdc/TestJdbcWithDBTokenStoreNoDoAs.java | 50 ++++++++++++++++++++
 .../hive/minikdc/TestJdbcWithMiniKdc.java       | 27 ++++++++++-
 .../hadoop/hive/metastore/HiveMetaStore.java    |  3 +-
 .../apache/hadoop/hive/thrift/DBTokenStore.java |  3 +-
 5 files changed, 85 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/7463d672/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java
index d690aaa..8de94a9 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStore.java
@@ -23,6 +23,11 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hive.jdbc.miniHS2.MiniHS2;
 import org.junit.BeforeClass;
 
+/**
+ * Runs the tests defined in TestJdbcWithMiniKdc when DBTokenStore
+ * is configured in a remote secure HMS mode and impersonation
+ * is turned on
+ */
 public class TestJdbcWithDBTokenStore extends TestJdbcWithMiniKdc{
 
   @BeforeClass

http://git-wip-us.apache.org/repos/asf/hive/blob/7463d672/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java
new file mode 100644
index 0000000..8e577cc
--- /dev/null
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithDBTokenStoreNoDoAs.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.minikdc;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.BeforeClass;
+
+/**
+ * Runs the tests defined in TestJdbcWithMiniKdc when DBTokenStore
+ * is configured and HMS is setup in a remote secure mode and
+ * impersonation is turned OFF
+ */
+public class TestJdbcWithDBTokenStoreNoDoAs extends TestJdbcWithMiniKdc{
+
+  @BeforeClass
+  public static void beforeTest() throws Exception {
+    Class.forName(MiniHS2.getJdbcDriverName());
+    confOverlay.put(ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
+        SessionHookTest.class.getName());
+
+    HiveConf hiveConf = new HiveConf();
+    hiveConf.setVar(ConfVars.METASTORE_CLUSTER_DELEGATION_TOKEN_STORE_CLS, "org.apache.hadoop.hive.thrift.DBTokenStore");
+    hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false);
+    miniHiveKdc = MiniHiveKdc.getMiniHiveKdc(hiveConf);
+    miniHS2 = MiniHiveKdc.getMiniHS2WithKerbWithRemoteHMS(miniHiveKdc, hiveConf);
+    miniHS2.start(confOverlay);
+    String metastorePrincipal = miniHS2.getConfProperty(ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname);
+    String hs2Principal = miniHS2.getConfProperty(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL.varname);
+    String hs2KeyTab = miniHS2.getConfProperty(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB.varname);
+    System.out.println("HS2 principal : " + hs2Principal + " HS2 keytab : " + hs2KeyTab +
" Metastore principal : " + metastorePrincipal);
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/hive/blob/7463d672/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
----------------------------------------------------------------------
diff --git a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
index 256262d..60dbce1 100644
--- a/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
+++ b/itests/hive-minikdc/src/test/java/org/apache/hive/minikdc/TestJdbcWithMiniKdc.java
@@ -173,6 +173,31 @@ public class TestJdbcWithMiniKdc {
     verifyProperty(SESSION_USER_NAME, MiniHiveKdc.HIVE_TEST_USER_1);
   }
 
+  @Test
+  public void testCancelRenewTokenFlow() throws Exception {
+    miniHiveKdc.loginUser(MiniHiveKdc.HIVE_TEST_SUPER_USER);
+    hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL());
+
+    // retrieve token and store in the cache
+    String token = ((HiveConnection) hs2Conn)
+        .getDelegationToken(MiniHiveKdc.HIVE_TEST_USER_1, MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+    assertTrue(token != null && !token.isEmpty());
+
+    Exception ex = null;
+    ((HiveConnection) hs2Conn).cancelDelegationToken(token);
+    try {
+      ((HiveConnection) hs2Conn).renewDelegationToken(token);
+    } catch (Exception SQLException) {
+      ex = SQLException;
+    }
+    assertTrue(ex != null && ex instanceof HiveSQLException);
+    // retrieve token and store in the cache
+    token = ((HiveConnection) hs2Conn)
+        .getDelegationToken(MiniHiveKdc.HIVE_TEST_USER_1, MiniHiveKdc.HIVE_SERVICE_PRINCIPAL);
+    assertTrue(token != null && !token.isEmpty());
+
+    hs2Conn.close();
+  }
   /***
    * Negative test for token based authentication
    * Verify that a user can't retrieve a token for user that
@@ -193,7 +218,7 @@ public class TestJdbcWithMiniKdc {
           MiniHiveKdc.HIVE_TEST_USER_2);
     } catch (SQLException e) {
       // Expected error
-      assertTrue(e.getMessage().contains("Error retrieving delegation token for user"));
+      assertEquals("Unexpected type of exception class thrown", HiveSQLException.class, e.getClass());
       assertTrue(e.getCause().getCause().getMessage().contains("is not allowed to impersonate"));
     } finally {
       hs2Conn.close();

http://git-wip-us.apache.org/repos/asf/hive/blob/7463d672/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
----------------------------------------------------------------------
diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
index f8b79a0..6d789fb 100644
--- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
+++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
@@ -6366,7 +6366,8 @@ public class HiveMetaStore extends ThriftHiveMetastore {
       } finally {
         endFunction("get_token", ret != null, ex);
       }
-      return ret;
+      //Thrift cannot return null result
+      return ret == null ? "" : ret;
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/hive/blob/7463d672/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java
----------------------------------------------------------------------
diff --git a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java
index d6dc079..1b54946 100644
--- a/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java
+++ b/shims/common/src/main/java/org/apache/hadoop/hive/thrift/DBTokenStore.java
@@ -24,6 +24,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.Server.ServerMode;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation;
@@ -89,7 +90,7 @@ public class DBTokenStore implements DelegationTokenStore {
       String tokenStr = (String)invokeOnTokenStore("getToken", new Object[] {
           TokenStoreDelegationTokenSecretManager.encodeWritable(tokenIdentifier)}, String.class);
       DelegationTokenInformation result = null;
-      if (tokenStr != null) {
+      if (StringUtils.isNotEmpty(tokenStr)) {
         result = HiveDelegationTokenSupport.decodeDelegationTokenInformation(Base64.decodeBase64(tokenStr));
       }
       if (LOG.isTraceEnabled()) {


Mime
View raw message