Skip to content

Adding support for delegation token authentication #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jan 23, 2018
Merged

Adding support for delegation token authentication #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6f39a76
Don’t try to close undefined transport during global destruction
davecardwell Apr 13, 2017
6d2aafb
Merge pull request #1 from davecardwell/patch-1
dmorel May 10, 2017
65954ac
Adding support for delegation token authentication
Jan 22, 2018
1d7412b
Feedback changes | Removing default principal name
Jan 23, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.idea/
34 changes: 32 additions & 2 deletions lib/Thrift/API/HiveClient2.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,15 @@ has sasl => (
default => 0,
);

#Kerberos principal
has principal => (
is => 'rw',
default => sub {
# Usually in the format 'hive/{hostname}@REALM.COM';
return ''
}
);

# 1 hour default recv socket timeout. Increase for longer-running queries
# called "timeout" for simplicity's sake, as this is how a user will experience
# it: a time after which the Thrift stack will throw an exception if not
Expand Down Expand Up @@ -162,7 +171,8 @@ sub BUILD {
if ( !$self->_transport ) {
my $transport = Thrift::BufferedTransport->new( $self->_socket );
if ( $self->_sasl ) {
$self->_set_transport( Thrift::SASL::Transport->new( $transport, $self->_sasl ) );
my $debug = 0;
$self->_set_transport( Thrift::SASL::Transport->new( $transport, $self->_sasl, $debug, $self->principal ) );
}
else {
$self->_set_transport($transport);
Expand Down Expand Up @@ -492,7 +502,10 @@ sub DEMOLISH {
)
);
}
$self->_transport->close;

if ( $self->_transport ) {
$self->_transport->close;
}
}

# when the user calls a method on an object of this class, see if that method
Expand Down Expand Up @@ -621,6 +634,9 @@ Starting with 0.014, support for secure clusters has been added thanks to
L<Thrift::SASL::Transport>. This behaviour is set by passing sasl => 1 to the
constructor. It has been tested with hive.server2.authentication = KERBEROS.
It of course requires a valid credentials cache (kinit) or keytab.
With this, kerberos principal also should be provided as part of constructor,
principal => hive/_HOST@REALM.COM
this value will be under hive.server2.authentication.kerberos.principal in hive-site.xml

Starting with 0.015, other authentication methods are supported, and driven by
the content of the sasl property. When built using sasl => 0 or sasl => 1, the
Expand All @@ -638,6 +654,20 @@ Authen::SASL, for instance:

Note that a server configured with NONE will happily accept the PLAIN method.

=head1 DELEGATIONTOKEN
Sasl object need to be created specifically if hiveClient2 is used with delegation token.
{
mechanism => 'DIGEST-MD5',
callback => {
canonuser => <bas65 encoded identifier extracted from delegation token>,
password => <bas65 encoded password extracted from delegation token>,
realm => 'default'
}
}
This is used when hiveclient is called from oozie, where keytabs cannot be used.
Oozie requests delegationtoken on behalf of hive if specified. This token is used for
further authentication purposes.

=head1 CAVEATS

The instance of hiveserver2 we have didn't return results encoded in UTF8, for
Expand Down