/**
* This class helps in some aspects of . It creates the proper Thrift classes for the
* given configuration as well as helps with authenticating requests.authentication
*/publicclassHiveAuthFactory{
HiveAuthFactory(HiveConf conf)
/**
* 构造方法
**/publicHiveAuthFactory(HiveConf conf)throwsTTransportException{this.conf = conf;// HiveConf
transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);// ShimLoader.getHadoopShims().isSecurityEnabled() will only check that// hadoopAuth is not simple, it does not guarantee it is kerberos
hadoopAuth = conf.get(HADOOP_SECURITY_AUTHENTICATION,"simple");// In http mode we use NOSASL as the default auth typeif(authTypeStr ==null){if("http".equalsIgnoreCase(transportMode)){
authTypeStr =HiveAuthConstants.AuthTypes.NOSASL.getAuthName();}else{
authTypeStr =HiveAuthConstants.AuthTypes.NONE.getAuthName();}}if(isSASLWithKerberizedHadoop()){
saslServer =HadoopThriftAuthBridge.getBridge().createServer(
conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL),
conf.getVar(ConfVars.HIVE_SERVER2_CLIENT_KERBEROS_PRINCIPAL));// Start delegation token manager
delegationTokenManager =newMetastoreDelegationTokenManager();try{Object baseHandler =null;//This method should be used to return the metastore specific tokenstore class name to main backwards compatibilityString tokenStoreClass =MetaStoreServerUtils.getTokenStoreClassName(conf);if(tokenStoreClass.equals(DBTokenStore.class.getName())){// IMetaStoreClient is needed to access token store if DBTokenStore is to be used. It// will be got via Hive.get(conf).getMSC in a thread where the DelegationTokenStore// is called. To avoid the cyclic reference, we pass the Hive class to DBTokenStore where// it is used to get a threadLocal Hive object with a synchronized MetaStoreClient using// Java reflection.// Note: there will be two HS2 life-long opened MSCs, one is stored in HS2 thread local// Hive object, the other is in a daemon thread spawned in DelegationTokenSecretManager// to remove expired tokens.
baseHandler =Hive.class;}
delegationTokenManager.startDelegationTokenSecretManager(conf, baseHandler,HadoopThriftAuthBridge.Server.ServerMode.HIVESERVER2);
saslServer.setSecretManager(delegationTokenManager.getSecretManager());}catch(IOException e){thrownewTTransportException("Failed to start token manager", e);}}}
// Perform kerberos login using the hadoop shim API if the configuration is availablepublicstaticvoidloginFromKeytab(HiveConf hiveConf)throwsIOException{String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);if(principal.isEmpty()|| keyTabFile.isEmpty()){thrownewIOException("HiveServer2 Kerberos principal or keytab is not correctly configured");}else{UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(principal,"0.0.0.0"), keyTabFile);}}
// Perform SPNEGO login using the hadoop shim API if the configuration is availablepublicstaticUserGroupInformationloginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf)throwsIOException{String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);if(principal.isEmpty()|| keyTabFile.isEmpty()){thrownewIOException("HiveServer2 SPNEGO principal or keytab is not correctly configured");}else{returnUserGroupInformation.loginUserFromKeytabAndReturnUGI(SecurityUtil.getServerPrincipal(principal,"0.0.0.0"), keyTabFile);}}
publicStringgetUserFromToken(String delegationToken)throwsHiveSQLException{if(delegationTokenManager ==null){thrownewHiveSQLException("Delegation token only supported over kerberos authentication","08S01");}try{return delegationTokenManager.getUserFromToken(delegationToken);}catch(IOException e){thrownewHiveSQLException("Error extracting user from delegation token "+ delegationToken,"08S01", e);}}