cli/session/HiveSessionImplwithUGI.java

0001 /**
0002  * Licensed to the Apache Software Foundation (ASF) under one
0003  * or more contributor license agreements.  See the NOTICE file
0004  * distributed with this work for additional information
0005  * regarding copyright ownership.  The ASF licenses this file
0006  * to you under the Apache License, Version 2.0 (the
0007  * "License"); you may not use this file except in compliance
0008  * with the License.  You may obtain a copy of the License at
0009  *
0010  *     http://www.apache.org/licenses/LICENSE-2.0
0011  *
0012  * Unless required by applicable law or agreed to in writing, software
0013  * distributed under the License is distributed on an "AS IS" BASIS,
0014  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0015  * See the License for the specific language governing permissions and
0016  * limitations under the License.
0017  */
0018
0019 package org.apache.hive.service.cli.session;
0020
0021 import java.io.IOException;
0022
0023 import org.apache.commons.logging.Log;
0024 import org.apache.commons.logging.LogFactory;
0025 import org.apache.hadoop.fs.FileSystem;
0026 import org.apache.hadoop.hive.conf.HiveConf;
0027 import org.apache.hadoop.hive.ql.metadata.Hive;
0028 import org.apache.hadoop.hive.ql.metadata.HiveException;
0029 import org.apache.hadoop.hive.shims.Utils;
0030 import org.apache.hadoop.security.UserGroupInformation;
0031 import org.apache.hive.service.auth.HiveAuthFactory;
0032 import org.apache.hive.service.cli.HiveSQLException;
0033 import org.apache.hive.service.cli.thrift.TProtocolVersion;
0034
0035 /**
0036  *
0037  * HiveSessionImplwithUGI.
0038  * HiveSession with connecting user's UGI and delegation token if required
0039  */
0040 public class HiveSessionImplwithUGI extends HiveSessionImpl {
0041   public static final String HS2TOKEN = "HiveServer2ImpersonationToken";
0042
0043   private UserGroupInformation sessionUgi = null;
0044   private String delegationTokenStr = null;
0045   private Hive sessionHive = null;
0046   private HiveSession proxySession = null;
0047   static final Log LOG = LogFactory.getLog(HiveSessionImplwithUGI.class);
0048
0049   public HiveSessionImplwithUGI(TProtocolVersion protocol, String username, String password,
0050       HiveConf hiveConf, String ipAddress, String delegationToken) throws HiveSQLException {
0051     super(protocol, username, password, hiveConf, ipAddress);
0052     setSessionUGI(username);
0053     setDelegationToken(delegationToken);
0054
0055     // create a new metastore connection for this particular user session
0056     Hive.set(null);
0057     try {
0058       sessionHive = Hive.get(getHiveConf());
0059     } catch (HiveException e) {
0060       throw new HiveSQLException("Failed to setup metastore connection", e);
0061     }
0062   }
0063
0064   // setup appropriate UGI for the session
0065   public void setSessionUGI(String owner) throws HiveSQLException {
0066     if (owner == null) {
0067       throw new HiveSQLException("No username provided for impersonation");
0068     }
0069     if (UserGroupInformation.isSecurityEnabled()) {
0070       try {
0071         sessionUgi = UserGroupInformation.createProxyUser(
0072             owner, UserGroupInformation.getLoginUser());
0073       } catch (IOException e) {
0074         throw new HiveSQLException("Couldn't setup proxy user", e);
0075       }
0076     } else {
0077       sessionUgi = UserGroupInformation.createRemoteUser(owner);
0078     }
0079   }
0080
0081   public UserGroupInformation getSessionUgi() {
0082     return this.sessionUgi;
0083   }
0084
0085   public String getDelegationToken() {
0086     return this.delegationTokenStr;
0087   }
0088
0089   @Override
0090   protected synchronized void acquire(boolean userAccess) {
0091     super.acquire(userAccess);
0092     // if we have a metastore connection with impersonation, then set it first
0093     if (sessionHive != null) {
0094       Hive.set(sessionHive);
0095     }
0096   }
0097
0098   /**
0099    * Close the file systems for the session and remove it from the FileSystem cache.
0100    * Cancel the session's delegation token and close the metastore connection
0101    */
0102   @Override
0103   public void close() throws HiveSQLException {
0104     try {
0105       acquire(true);
0106       cancelDelegationToken();
0107     } finally {
0108       try {
0109         super.close();
0110       } finally {
0111         try {
0112           FileSystem.closeAllForUGI(sessionUgi);
0113         } catch (IOException ioe) {
0114           throw new HiveSQLException("Could not clean up file-system handles for UGI: "
0115               + sessionUgi, ioe);
0116         }
0117       }
0118     }
0119   }
0120
0121   /**
0122    * Enable delegation token for the session
0123    * save the token string and set the token.signature in hive conf. The metastore client uses
0124    * this token.signature to determine where to use kerberos or delegation token
0125    * @throws HiveException
0126    * @throws IOException
0127    */
0128   private void setDelegationToken(String delegationTokenStr) throws HiveSQLException {
0129     this.delegationTokenStr = delegationTokenStr;
0130     if (delegationTokenStr != null) {
0131       getHiveConf().set("hive.metastore.token.signature", HS2TOKEN);
0132       try {
0133         Utils.setTokenStr(sessionUgi, delegationTokenStr, HS2TOKEN);
0134       } catch (IOException e) {
0135         throw new HiveSQLException("Couldn't setup delegation token in the ugi", e);
0136       }
0137     }
0138   }
0139
0140   // If the session has a delegation token obtained from the metastore, then cancel it
0141   private void cancelDelegationToken() throws HiveSQLException {
0142     if (delegationTokenStr != null) {
0143       try {
0144         Hive.get(getHiveConf()).cancelDelegationToken(delegationTokenStr);
0145       } catch (HiveException e) {
0146         throw new HiveSQLException("Couldn't cancel delegation token", e);
0147       }
0148       // close the metastore connection created with this delegation token
0149       Hive.closeCurrent();
0150     }
0151   }
0152
0153   @Override
0154   protected HiveSession getSession() {
0155     assert proxySession != null;
0156
0157     return proxySession;
0158   }
0159
0160   public void setProxySession(HiveSession proxySession) {
0161     this.proxySession = proxySession;
0162   }
0163
0164   @Override
0165   public String getDelegationToken(HiveAuthFactory authFactory, String owner,
0166       String renewer) throws HiveSQLException {
0167     return authFactory.getDelegationToken(owner, renewer);
0168   }
0169
0170   @Override
0171   public void cancelDelegationToken(HiveAuthFactory authFactory, String tokenStr)
0172       throws HiveSQLException {
0173     authFactory.cancelDelegationToken(tokenStr);
0174   }
0175
0176   @Override
0177   public void renewDelegationToken(HiveAuthFactory authFactory, String tokenStr)
0178       throws HiveSQLException {
0179     authFactory.renewDelegationToken(tokenStr);
0180   }
0181
0182 }