org.apache.hive.service.auth.HiveAuthFactory

于 2023-07-04 12:26:43 发布
阅读量281 收藏
点赞数 1
文章标签: apache hive hadoop
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u012581453/article/details/131527152
版权

org.apache.hive.service.auth.HiveAuthFactory

/**
 * This class helps in some aspects of . It creates the proper Thrift classes for the
 * given configuration as well as helps with authenticating requests.authentication
 */
public class HiveAuthFactory {

HiveAuthFactory(HiveConf conf)

/**
* 构造方法
**/
public HiveAuthFactory(HiveConf conf) throws TTransportException {
    this.conf = conf; // HiveConf 
    transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
    authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);
    // ShimLoader.getHadoopShims().isSecurityEnabled() will only check that
    // hadoopAuth is not simple, it does not guarantee it is kerberos
    hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");
    // In http mode we use NOSASL as the default auth type
    if (authTypeStr == null) {
      if ("http".equalsIgnoreCase(transportMode)) {
        authTypeStr = HiveAuthConstants.AuthTypes.NOSASL.getAuthName();
      } else {
        authTypeStr = HiveAuthConstants.AuthTypes.NONE.getAuthName();
      }
    }
    if (isSASLWithKerberizedHadoop()) {
      saslServer =
          HadoopThriftAuthBridge.getBridge().createServer(
              conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
              conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL),
              conf.getVar(ConfVars.HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL));

      // Start delegation token manager
      delegationTokenManager = new MetastoreDelegationTokenManager();
      try {
        Object baseHandler = null;
        //This method should be used to return the metastore specific tokenstore class name to main  backwards compatibility
        String tokenStoreClass = MetaStoreServerUtils.getTokenStoreClassName(conf);

        if (tokenStoreClass.equals(DBTokenStore.class.getName())) {
          // IMetaStoreClient is needed to access token store if DBTokenStore is to be used. It
          // will be got via Hive.get(conf).getMSC in a thread where the DelegationTokenStore
          // is called. To avoid the cyclic reference, we pass the Hive class to DBTokenStore where
          // it is used to get a threadLocal Hive object with a synchronized MetaStoreClient using
          // Java reflection.
          // Note: there will be two HS2 life-long opened MSCs, one is stored in HS2 thread local
          // Hive object, the other is in a daemon thread spawned in DelegationTokenSecretManager
          // to remove expired tokens.
          baseHandler = Hive.class;
        }

        delegationTokenManager.startDelegationTokenSecretManager(conf, baseHandler,
            HadoopThriftAuthBridge.Server.ServerMode.HIVESERVER2);
        saslServer.setSecretManager(delegationTokenManager.getSecretManager());
      }
      catch (IOException e) {
        throw new TTransportException("Failed to start token manager", e);
      }
    }
  }

getSaslProperties()

  public Map<String, String> getSaslProperties() {
  // 键值对儿
    Map<String, String> saslProps = new HashMap<String, String>();
    SaslQOP saslQOP = SaslQOP.fromString(conf.getVar(ConfVars.HIVE_SERVER2_THRIFT_SASL_QOP));
    saslProps.put(Sasl.QOP, saslQOP.toString());
    saslProps.put(Sasl.SERVER_AUTH, "true");
    return saslProps;
  }

getAuthTransFactory()

public TTransportFactory getAuthTransFactory() throws LoginException {
    TTransportFactory transportFactory;
    TSaslServerTransport.Factory serverTransportFactory;

    if (isSASLWithKerberizedHadoop()) {
      try {
        serverTransportFactory = saslServer.createSaslServerTransportFactory(
            getSaslProperties());
      } catch (TTransportException e) {
        throw new LoginException(e.getMessage());
      }
      if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.KERBEROS.getAuthName())) {
        // no-op
      } else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
        try {
          serverTransportFactory.addServerDefinition("PLAIN",
              authTypeStr, null, new HashMap<String, String>(),
              new PlainSaslHelper.PlainServerCallbackHandler(authTypeStr));
        } catch (AuthenticationException e) {
          throw new LoginException ("Error setting callback handler" + e);
        }
      } else {
        throw new LoginException("Unsupported authentication type " + authTypeStr);
      }
      transportFactory = saslServer.wrapTransportFactory(serverTransportFactory);
    } else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) ||
          authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
      transportFactory = PlainSaslHelper.getPlainTransportFactory(authTypeStr);
    } else if (authTypeStr
        .equalsIgnoreCase(HiveAuthConstants.AuthTypes.NOSASL.getAuthName())) {
      transportFactory = new TTransportFactory();
    } else {
      throw new LoginException("Unsupported authentication type " + authTypeStr);
    }

    String trustedDomain = HiveConf.getVar(conf, ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN).trim();
    if (!trustedDomain.isEmpty()) {
      transportFactory = PlainSaslHelper.getDualPlainTransportFactory(transportFactory, trustedDomain);
    }
    return transportFactory;
  }

getAuthProcFactory(TCLIService.Iface service)

 /**
   * Returns the thrift processor factory for HiveServer2 running in binary mode
   * @param service
   * @return
   * @throws LoginException
   */
  public TProcessorFactory getAuthProcFactory(TCLIService.Iface service) throws LoginException {
    if (isSASLWithKerberizedHadoop()) {
      return KerberosSaslHelper.getKerberosProcessorFactory(saslServer, service);
    } else {
      return PlainSaslHelper.getPlainProcessorFactory(service);
    }
  }

getIpAddress()

  public String getIpAddress() {
    if (saslServer == null || saslServer.getRemoteAddress() == null) {
      return null;
    } else {
      return saslServer.getRemoteAddress().getHostAddress();
    }
  }

getUserAuthMechanism()

  public String getUserAuthMechanism() {
  // private HadoopThriftAuthBridge.Server saslServer;
    return saslServer == null ? null : saslServer.getUserAuthMechanism();
  }

isSASLWithKerberizedHadoop()

  public boolean isSASLWithKerberizedHadoop() {
  // private String hadoopAuth;  
  //  hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");
    return "kerberos".equalsIgnoreCase(hadoopAuth)
        && !authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NOSASL.getAuthName());
  }

isSASLKerberosUser()

  public boolean isSASLKerberosUser() {
    return AuthMethod.KERBEROS.getMechanismName().equals(getUserAuthMechanism())
            || AuthMethod.TOKEN.getMechanismName().equals(getUserAuthMechanism());
  }

loginFromKeytab(HiveConf hiveConf)

  // Perform kerberos login using the hadoop shim API if the configuration is available
  public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
    String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
    String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);
    if (principal.isEmpty() || keyTabFile.isEmpty()) {
      throw new IOException("HiveServer2 Kerberos principal or keytab is not correctly configured");
    } else {
      UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keyTabFile);
    }
  }

loginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf)

  // Perform SPNEGO login using the hadoop shim API if the configuration is available
  public static UserGroupInformation loginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf)
    throws IOException {
    String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
    String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
    if (principal.isEmpty() || keyTabFile.isEmpty()) {
      throw new IOException("HiveServer2 SPNEGO principal or keytab is not correctly configured");
    } else {
      return UserGroupInformation.loginUserFromKeytabAndReturnUGI(SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keyTabFile);
    }
  }

getDelegationToken(String owner, String renewer, String remoteAddr)

// retrieve delegation token for the given user
  public String getDelegationToken(String owner, String renewer, String remoteAddr)
      throws HiveSQLException {
    if (delegationTokenManager == null) {
      throw new HiveSQLException(
          "Delegation token only supported over kerberos authentication", "08S01");
    }

    try {
      String tokenStr = delegationTokenManager.getDelegationTokenWithService(owner, renewer,
          HiveAuthConstants.HS2_CLIENT_TOKEN, remoteAddr);
      if (tokenStr == null || tokenStr.isEmpty()) {
        throw new HiveSQLException(
            "Received empty retrieving delegation token for user " + owner, "08S01");
      }
      return tokenStr;
    } catch (IOException e) {
      throw new HiveSQLException(
          "Error retrieving delegation token for user " + owner, "08S01", e);
    } catch (InterruptedException e) {
      throw new HiveSQLException("delegation token retrieval interrupted", "08S01", e);
    }
  }

cancelDelegationToken(String delegationToken)

  // cancel given delegation token
  public void cancelDelegationToken(String delegationToken) throws HiveSQLException {
    if (delegationTokenManager == null) {
      throw new HiveSQLException(
          "Delegation token only supported over kerberos authentication", "08S01");
    }
    try {
      delegationTokenManager.cancelDelegationToken(delegationToken);
    } catch (IOException e) {
      throw new HiveSQLException(
          "Error canceling delegation token " + delegationToken, "08S01", e);
    }
  }

renewDelegationToken(String delegationToken)

  public void renewDelegationToken(String delegationToken) throws HiveSQLException {
    if (delegationTokenManager == null) {
      throw new HiveSQLException(
          "Delegation token only supported over kerberos authentication", "08S01");
    }
    try {
      delegationTokenManager.renewDelegationToken(delegationToken);
    } catch (IOException e) {
      throw new HiveSQLException(
          "Error renewing delegation token " + delegationToken, "08S01", e);
    }
  }

verifyDelegationToken(String delegationToken)

  public String verifyDelegationToken(String delegationToken) throws HiveSQLException {
    if (delegationTokenManager == null) {
      throw new HiveSQLException(
          "Delegation token only supported over kerberos authentication", "08S01");
    }
    try {
      return delegationTokenManager.verifyDelegationToken(delegationToken);
    } catch (IOException e) {
      String msg =  "Error verifying delegation token " + delegationToken;
      LOG.error(msg, e);
      throw new HiveSQLException(msg, "08S01", e);
    }
  }

getUserFromToken(String delegationToken)

public String getUserFromToken(String delegationToken) throws HiveSQLException {
    if (delegationTokenManager == null) {
      throw new HiveSQLException(
          "Delegation token only supported over kerberos authentication", "08S01");
    }
    try {
      return delegationTokenManager.getUserFromToken(delegationToken);
    } catch (IOException e) {
      throw new HiveSQLException(
          "Error extracting user from delegation token " + delegationToken, "08S01", e);
    }
  }

verifyProxyAccess(String realUser, String proxyUser, String ipAddress,HiveConf hiveConf)

 public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress,
    HiveConf hiveConf) throws HiveSQLException {
    try {
      UserGroupInformation sessionUgi;
      if (UserGroupInformation.isSecurityEnabled()) {
        KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser);
        sessionUgi = UserGroupInformation.createProxyUser(
            kerbName.getServiceName(), UserGroupInformation.getLoginUser());
      } else {
        sessionUgi = UserGroupInformation.createRemoteUser(realUser);
      }
      if (!proxyUser.equalsIgnoreCase(realUser)) {
        ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf);
        ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi),
            ipAddress, hiveConf);
      }
    } catch (IOException e) {
      throw new HiveSQLException(
        "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e);
    }
  }
继春
关注
使用razorsql软件连接hive时的错误Could not initialize class org.apache.hive.jdbc.HiveDriver
cd0_0的博客
11-24 231
报错内容: ERROR: An error occurred while trying to make a connection to the database: JDBC URL: jdbc:hive2://192.168.111.11/default java.lang.NoClassDefFoundError: Could not initialize class org.apache.hive.jdbc.HiveDriver。错误原因:未使用管理员权限运行razorsql导致jar包无法读取。
org.apache.hive.service.auth.AuthType
u012581453的专栏
07-04 288
【代码】org.apache.hive.service.auth.AuthType。
CDH环境配置HiveHook报错:Could not initialize class org.apache.atlas.hive.hook.HiveHook 解决
wzh8108的专栏
02-19 5586
Hive启动时,已经加载所有的jar文件,但是还是报错Could not initialize class org.apache.atlas.hive.hook.HiveHook, 原因时初始化的时候缺少atlas-application.properties文件,官方教程时copy文件到hive的conf,但是CDH环境每次启动Hive时,会复制一份conf到process目录下,导致配置确...
hive 提示无法初始化hivehhook问题
qq_42392337的博客
09-18 883
问题描述: apache Atlas对hive表添加primaryKey导致无法初始化hivehook,报错提示为: Hive Internal Error: java.lang.NoClassDefFoundError(Could not initialize class org.apache.atlas.hive.hook.hivehook) 解决方法: 将atlas/conf目录下atlas-application.properties配置文件拷贝到hive/conf目录下 ...
解决java.lang.NoClassDefFoundError: Could not initialize class方案
热门推荐
life is wonderful
06-13 12万+
解决java.lang.NoClassDefFoundError: Could not initialize class方案问题描述:昨天上午来了,同事反应有个页面数据显示为空,最终在上午10点的这个节点查找两个相关微服务的日志,最终定位在assetserver微服务上,下面贴出的是服务器上的错误日志:2018-06-12 10:03:34 [http-nio-8107-exec-3] ERROR...
mysql用户身份验证查询_用户身份验证
weixin_27155667的博客
02-19 601
简介hive 默认情况下访问hiveserver2 是不需要身份验证的。hive用户登录身份验证方式默认是NONE具有 KERBEROS LDAP PAM NOSASL CUSTOM 五中验证hive-0.14 对应代码处: org.apache.hive.service.auth.HiveAuthFactoryPaste_Image.png本文主要针对CUSTOM 方式(方便,有效)继承...
hive】 java 通过jdbc连接hive库,pom配置
sunnyXie的博客
04-25 3678
<dependency> <groupId>org.apache.hive</groupId> <artifactId>hive-jdbc</artifactId> <version>1.2.1</version> ...
Hiveserver2 Beeline连接设置用户名和密码.docx
08-14
例如,我们可以创建一个名为 `MyAuthenticationProvider` 的类,实现 `org.apache.hive.service.auth.HiveAuthFactory.Authenticator` 接口。这个接口定义了 `authenticate` 方法,用于验证用户提交的用户名和密码。...
Hive实战:HiveServer2、HiveMetastore、Beeline与hive-site.xml配置文件的关系
fancychuan的博客
08-03 1712
Metastore是元数据服务 HiveServer2是用于提供JDBC访问的服务端 Beeline是使用JDBC的方式访问HiveServer2的客户端 hive-site.xml是hive的配置文件,需要注意的是,不管是服务端还是客户端,均是从hive-site.xml读取配置项。因此,在配置hive-site.xml时,要注意配置项是用于服务端的还是客户端的。 1.Metastore与Hive-site.xml 主要关注的配置项:hive.metastore.uris <.
mysql最新版本的jdbc连接hive_通过jdbc连接hive
weixin_42119358的博客
02-06 714
1 mammut@classb-ds-bigdata16:~/apache-hive-1.2.1-bin$ bin/hive2 Logging initialized using configuration in /home/mammut/apache-hive-0.13.1-bin/conf/hive-log4j.properties.self3 Hive history file=/tmp/m...
[一起学Hive]之二十-自定义HiveServer2的用户安全认证
tony的专栏
05-06 5089
HiveServer2提供了JDBC链接操作Hive的功能,非常实用,但如果在使用HiveServer2时候,不注意安全控制,将非常危险,因为任何人都可以作为超级用户来操作Hive及HDFS数据。 比如:在配置HiveServer2的时候,hive.server2.authentication=NONE,表示没有用户认证。 使用beeline,模拟成超级用户hadoop,成功连接到
Hive设置连接用户名和密码
奔跑的蜗牛的博客
05-22 5万+
Hive-site.xml,缺省为NONE。此处改为CUSTOM hive.server2.authentication CUSTOM Expects one of [nosasl, none, ldap, kerberos, pam, custom]. Client authentication types. NONE: no
[Hive]那些年我们踩过的Hive
SmartSi
06-12 3万+
(1)问题一  首先,采用这个命令: hive -hiveconf hive.root.logger=DEBUG,console 可以查看详细信息然后分析可知,缺少mysql的jar包,下载mysql-connector-java-5.1.32.tar.gz,并进行一下操作。 下一步操作,添加jar包: (2)问题二
Hive最全常见错误及解决方案
xia1140418216的博客
10-13 8310
1)SecureCRT 7.3出现乱码或者删除不掉数据,免安装版的SecureCRT 卸载或者用虚拟机直接操作或者换安装版的SecureCRT 2)连接不上mysql数据库 (1)导错驱动包,应该把mysql-connector-java-5.1.27-bin.jar导入/opt/module/hive/lib的不是这个包。错把mysql-connector-java-5.1.27.tar.gz导入hive/lib包下。 (2)修改user表中的主机名称没有都修改为%,而是修改为localhost 3)hi
CDH5.3.2中配置运行Spark SQL的Thrift Server
邹中凡
06-02 1万+
一,环境信息 CDH集群,Cloudera Manager5安装部署CDH5.X详细请见:http://blog.csdn.net/freedomboy319/article/details/44804721二,在CDH5.3.2中配置运行Spark SQL的Thrift Server 1,root用户登录CDH5.3.2集群中的某一个节点2,cd /opt/cloudera/parcels/C
hive --service hiveserver2 报错thrift.ThriftCLIService (ThriftBinaryCLIService.java:run(113)) - Error:
qq_29667805的博客
08-28 2872
今天启动hive,想用squirrel-sql客户端连接hive,报错一直如下 2018-08-28 09:31:55,881 INFO  [main]: service.AbstractService (AbstractService.java:start(104)) - Service:HiveServer2 is started. 2018-08-28 09:31:56,070 ERROR...
解决Hive启动服务器出现:Could not create ServerSocket on address 0.0.0.0/0.0.0.0:9083.
guihua55的博客
06-30 4634
博主在服务器端启动hive服务器时,发下报错如下: Exception in thread "main" org.apache.thrift.transport.TTransportException: Could not create ServerSocket on address 0.0.0.0/0.0.0.0:9083. at org.apache.thrift.transport.TServerSocket.<init>(TServerSocket.java:109) ...
Hive1.2.1 启动报错 ClassNotFoundException: org.apache.hadoop.hive.service.HiveServer
好读书,每有会意,便欣然忘食。
10-15 5492
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] Exception in thread "main" java.lang.ClassNotFoundException: org.apache.hadoop.hive.service.HiveServer         at java.net.URLCla
sqoop import org.apache.hadoop.hive.metast
最新发布
12-31
Sqoop 是一个开源的数据导入和导出工具,可以将关系数据库中的数据导入到Hadoop生态系统中的各种数据存储系统中。 import 是 Sqoop 的一个命令,用于将数据从关系数据库中导入到 Hadoop 的分布式文件系统中。在这个命令的后面可以指定导入的数据表、数据存储位置等参数。 org.apache.hadoop.hive.metastore 是 Hive 的元数据存储组件,用于管理和存储 Hive 的元数据信息。当我们使用 Sqoop 导入数据时,如果想要将数据导入到 Hive 中进行进一步的数据处理和分析,可以使用 org.apache.hadoop.hive.metastore 来指定导入数据时的元数据存储。 通过指定 org.apache.hadoop.hive.metastore 参数,Sqoop 导入数据时会自动将导入的数据表的元数据信息存储到 Hive 的元数据存储组件中,这样,在使用 Hive 进行数据处理和查询时,就可以方便地使用这些导入的数据。同时,Hive 还可以使用 Sqoop 导入的元数据信息来对导入的数据表进行分区、索引等操作,实现更高效的数据访问。 总之,org.apache.hadoop.hive.metastore 是 Sqoop 导入数据时的一个参数,用于指定导入的数据的元数据存储位置。通过将数据导入到 Hive 中,可以方便地使用 Hive 进行数据处理和查询,并且可以利用 Hive 的分区、索引等功能来优化数据访问性能。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

继春

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值