From 8999d93ae5153c698ef0591b2a10f6362578262c Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Thu, 6 Apr 2017 16:47:07 +0530 Subject: [PATCH 01/13] ZEPPELIN-2367: Hive JDBC proxy user option should be avail even without kerberos --- .../apache/zeppelin/jdbc/JDBCInterpreter.java | 34 ++++++++++++------- .../jdbc/security/JDBCSecurityImpl.java | 5 ++- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 47cdfcc8630..bb725720aa9 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -190,9 +190,6 @@ public void open() { } logger.debug("JDBC PropretiesMap: {}", basePropretiesMap); - if (!isEmpty(property.getProperty("zeppelin.jdbc.auth.type"))) { - JDBCSecurityImpl.createSecureConfiguration(property); - } for (String propertyKey : basePropretiesMap.keySet()) { propertyKeySqlCompleterMap.put(propertyKey, createSqlCompleter(null)); } @@ -370,6 +367,7 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret } else { UserGroupInformation.AuthenticationMethod authType = JDBCSecurityImpl.getAuthtype(property); + JDBCSecurityImpl.createSecureConfiguration(property, authType); switch (authType) { case KERBEROS: if (user == null) { @@ -377,15 +375,7 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret } else { if (url.trim().startsWith("jdbc:hive")) { StringBuilder connectionUrl = new StringBuilder(url); - Integer lastIndexOfUrl = connectionUrl.indexOf("?"); - if (lastIndexOfUrl == -1) { - lastIndexOfUrl = connectionUrl.length(); - } - boolean hasProxyUser = property.containsKey("hive.proxy.user"); - if (!hasProxyUser || !property.getProperty("hive.proxy.user").equals("false")){ - logger.debug("Using hive proxy user"); - connectionUrl.insert(lastIndexOfUrl, ";hive.server2.proxy.user=" + user + ";"); - } + checkAndAppendHiveProxyUser(connectionUrl, user); connection = getConnectionFromPool(connectionUrl.toString(), user, propertyKey, properties); } else { @@ -421,13 +411,31 @@ public Connection run() throws Exception { break; default: - connection = getConnectionFromPool(url, user, propertyKey, properties); + StringBuilder connectionUrl = new StringBuilder(url); + checkAndAppendHiveProxyUser(connectionUrl, user); + connection = getConnectionFromPool(connectionUrl.toString(), + user, propertyKey, properties); } } propertyKeySqlCompleterMap.put(propertyKey, createSqlCompleter(connection)); return connection; } + private void checkAndAppendHiveProxyUser(StringBuilder connectionUrl, String user) { + if (connectionUrl.toString().trim().startsWith("jdbc:hive")) { + Integer lastIndexOfUrl = connectionUrl.indexOf("?"); + if (lastIndexOfUrl == -1) { + lastIndexOfUrl = connectionUrl.length(); + } + + if (user != null && !user.equals("anonymous") && + !"false".equalsIgnoreCase(property.getProperty("hive.proxy.user"))) { + logger.debug("Using hive proxy user"); + connectionUrl.insert(lastIndexOfUrl, ";hive.server2.proxy.user=" + user + ";"); + } + } + } + private String getPassword(Properties properties) throws IOException { if (isNotEmpty(properties.getProperty(PASSWORD_KEY))) { return properties.getProperty(PASSWORD_KEY); diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/security/JDBCSecurityImpl.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/security/JDBCSecurityImpl.java index 32a7990ff2f..25959e1a810 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/security/JDBCSecurityImpl.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/security/JDBCSecurityImpl.java @@ -38,9 +38,8 @@ public class JDBCSecurityImpl { /*** * @param properties */ - public static void createSecureConfiguration(Properties properties) { - AuthenticationMethod authType = getAuthtype(properties); - + public static void createSecureConfiguration(Properties properties, + AuthenticationMethod authType) { switch (authType) { case KERBEROS: Configuration conf = new From ee8a6b524c481210486761032cb1f5fd6266bb54 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Thu, 6 Apr 2017 17:12:40 +0530 Subject: [PATCH 02/13] add doc --- docs/interpreter/hive.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/interpreter/hive.md b/docs/interpreter/hive.md index ba6614b41e9..ae99b40bf84 100644 --- a/docs/interpreter/hive.md +++ b/docs/interpreter/hive.md @@ -124,6 +124,16 @@ Hive Interpreter will be deprecated and merged into JDBC Interpreter. You can us ( Optional ) Other properties used by the driver of %hive(${prefix}) + + zeppelin.jdbc.auth.type + + ( Optional ) If auth type is needed, Example: KERBEROS/SIMPLE + + + hive.proxy.user + true + ( Optional ) If want to use `hive.server2.proxy.user` + This interpreter provides multiple configuration with `${prefix}`. User can set a multiple connection properties by this prefix. It can be used like `%hive(${prefix})`. @@ -161,3 +171,9 @@ GROUP BY ${group_by=product_id,product_id|product_name|customer_id|store_id} ORDER BY count ${order=DESC,DESC|ASC} LIMIT ${limit=10}; ``` + +### Impersonation +When Zeppelin server is running with authentication enabled, then this interpreter utilizes Hive's user proxy feature i.e. sends extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multi users are sharing a Notebook server. + +To enable this set `zeppelin.jdbc.auth.type` as `SIMPLE` in the interpreter setting. + From 01b18b9d267c042442b90a0abe00fb191822b625 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Sun, 9 Apr 2017 11:19:12 +0530 Subject: [PATCH 03/13] add doc (reverted from commit ee8a6b524c481210486761032cb1f5fd6266bb54) --- docs/interpreter/hive.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/docs/interpreter/hive.md b/docs/interpreter/hive.md index ae99b40bf84..ba6614b41e9 100644 --- a/docs/interpreter/hive.md +++ b/docs/interpreter/hive.md @@ -124,16 +124,6 @@ Hive Interpreter will be deprecated and merged into JDBC Interpreter. You can us ( Optional ) Other properties used by the driver of %hive(${prefix}) - - zeppelin.jdbc.auth.type - - ( Optional ) If auth type is needed, Example: KERBEROS/SIMPLE - - - hive.proxy.user - true - ( Optional ) If want to use `hive.server2.proxy.user` - This interpreter provides multiple configuration with `${prefix}`. User can set a multiple connection properties by this prefix. It can be used like `%hive(${prefix})`. @@ -171,9 +161,3 @@ GROUP BY ${group_by=product_id,product_id|product_name|customer_id|store_id} ORDER BY count ${order=DESC,DESC|ASC} LIMIT ${limit=10}; ``` - -### Impersonation -When Zeppelin server is running with authentication enabled, then this interpreter utilizes Hive's user proxy feature i.e. sends extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multi users are sharing a Notebook server. - -To enable this set `zeppelin.jdbc.auth.type` as `SIMPLE` in the interpreter setting. - From d51e770b244ee657786de33cb54b41a13bc17c5d Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Sun, 9 Apr 2017 11:19:39 +0530 Subject: [PATCH 04/13] add doc in jdbc.md --- docs/interpreter/jdbc.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/interpreter/jdbc.md b/docs/interpreter/jdbc.md index ab31b11ca0e..43c6e3cfd2f 100644 --- a/docs/interpreter/jdbc.md +++ b/docs/interpreter/jdbc.md @@ -529,6 +529,12 @@ Connection to Hive JDBC with a proxy user can be disabled with `hive.proxy.user` [Maven Repository : org.apache.hive:hive-jdbc](https://mvnrepository.com/artifact/org.apache.hive/hive-jdbc) +##### Impersonation +When Zeppelin server is running with authentication enabled, then this interpreter utilizes Hive's user proxy feature i.e. sends extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multiple users are sharing a Notebook server. + +To enable this set `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. + + ### Apache Phoenix Phoenix supports `thick` and `thin` connection types: From 4c382eefa101619c51fba28a63f465a16785d0db Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Sun, 9 Apr 2017 11:53:12 +0530 Subject: [PATCH 05/13] log user details as well --- .../src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index d0157092c0b..18690f4f1ff 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -431,7 +431,7 @@ private void checkAndAppendHiveProxyUser(StringBuilder connectionUrl, String use if (user != null && !user.equals("anonymous") && !"false".equalsIgnoreCase(property.getProperty("hive.proxy.user"))) { - logger.debug("Using hive proxy user"); + logger.info("Using hive proxy user as :" + user); connectionUrl.insert(lastIndexOfUrl, ";hive.server2.proxy.user=" + user + ";"); } } From 3fa2b1e98040aca53e8ba678fabe70dc64b20336 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Thu, 20 Apr 2017 12:41:54 +0530 Subject: [PATCH 06/13] change name to appendProxyUserToURL --- .../java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 08d30d131a6..6db8df78627 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -26,7 +26,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.List; -import java.util.Map; import java.util.Properties; import java.util.Set; @@ -363,7 +362,7 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret } else { if (url.trim().startsWith("jdbc:hive")) { StringBuilder connectionUrl = new StringBuilder(url); - checkAndAppendHiveProxyUser(connectionUrl, user); + appendProxyUserToURL(connectionUrl, user); connection = getConnectionFromPool(connectionUrl.toString(), user, propertyKey, properties); } else { @@ -400,7 +399,7 @@ public Connection run() throws Exception { default: StringBuilder connectionUrl = new StringBuilder(url); - checkAndAppendHiveProxyUser(connectionUrl, user); + appendProxyUserToURL(connectionUrl, user); connection = getConnectionFromPool(connectionUrl.toString(), user, propertyKey, properties); } @@ -409,7 +408,7 @@ public Connection run() throws Exception { return connection; } - private void checkAndAppendHiveProxyUser(StringBuilder connectionUrl, String user) { + private void appendProxyUserToURL(StringBuilder connectionUrl, String user) { if (connectionUrl.toString().trim().startsWith("jdbc:hive")) { Integer lastIndexOfUrl = connectionUrl.indexOf("?"); if (lastIndexOfUrl == -1) { From 513987a2885d8d5f25accfd74fde0086117dd38f Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Mon, 24 Apr 2017 17:06:35 +0530 Subject: [PATCH 07/13] apply genric logic to appendProxyUserToURL --- docs/interpreter/jdbc.md | 21 +++-- .../apache/zeppelin/jdbc/JDBCInterpreter.java | 90 +++++++++---------- 2 files changed, 52 insertions(+), 59 deletions(-) diff --git a/docs/interpreter/jdbc.md b/docs/interpreter/jdbc.md index 29a2feafc37..dbea9f17d82 100644 --- a/docs/interpreter/jdbc.md +++ b/docs/interpreter/jdbc.md @@ -169,10 +169,6 @@ There are more JDBC interpreter properties you can specify like below. zeppelin.jdbc.keytab.location The path to the keytab file - - zeppelin.jdbc.auth.kerberos.proxy.enable -      When auth type is Kerberos, enable/disable Kerberos proxy with the login user to get the connection. Default value is true. - default.jceks.file jceks store path (e.g: jceks://file/tmp/zeppelin.jceks) @@ -202,7 +198,7 @@ To bind the interpreters created in the interpreter setting page, click the gear -Select(blue) or deselect(white) the interpreter buttons depending on your use cases. +Select(blue) or deselect(white) the interpreter buttons depending on your use cases. If you need to use more than one interpreter in the notebook, activate several buttons. Don't forget to click `Save` button, or you will face `Interpreter *** is not found` error. @@ -285,7 +281,7 @@ An example settings of interpreter for the two data sources, each of which has i ##### Usage -Test of execution *precode* for each data source. +Test of execution *precode* for each data source. ```sql %jdbc @@ -480,7 +476,7 @@ Here are some examples you can refer to. Including the below connectors, you can [Maven Repository: com.amazonaws:aws-java-sdk-redshift](https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-redshift) -### Apache Hive +### Apache Hive @@ -507,8 +503,9 @@ Here are some examples you can refer to. Including the below connectors, you can hive_password - hive.proxy.user - true or false + default.proxy.user.property + hive.server2.proxy.user + Connection to Hive JDBC with a proxy user can be disabled with `hive.proxy.user` property (set to true by default) @@ -535,9 +532,11 @@ Connection to Hive JDBC with a proxy user can be disabled with `hive.proxy.user` [Maven Repository : org.apache.hive:hive-jdbc](https://mvnrepository.com/artifact/org.apache.hive/hive-jdbc) ##### Impersonation -When Zeppelin server is running with authentication enabled, then this interpreter utilizes Hive's user proxy feature i.e. sends extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multiple users are sharing a Notebook server. +When Zeppelin server is running with authentication enabled, then the interpreter can utilize Hive's user proxy feature i.e. send extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multiple users are sharing a notebooks. -To enable this set `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. +To enable this set following: + - `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. + - `default.proxy.user.property` as `hive.server2.proxy.user` ### Apache Phoenix diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 6db8df78627..1b65013dcd5 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -353,74 +353,68 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret } else { UserGroupInformation.AuthenticationMethod authType = JDBCSecurityImpl.getAuthtype(property); + final String connectionUrl = appendProxyUserToURL(url, user, propertyKey); + JDBCSecurityImpl.createSecureConfiguration(property, authType); switch (authType) { case KERBEROS: - if (user == null || "false".equalsIgnoreCase( - property.getProperty("zeppelin.jdbc.auth.kerberos.proxy.enable"))) { - connection = getConnectionFromPool(url, user, propertyKey, properties); + if (url.trim().startsWith("jdbc:hive")) { + connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { - if (url.trim().startsWith("jdbc:hive")) { - StringBuilder connectionUrl = new StringBuilder(url); - appendProxyUserToURL(connectionUrl, user); - connection = getConnectionFromPool(connectionUrl.toString(), - user, propertyKey, properties); - } else { - UserGroupInformation ugi = null; - try { - ugi = UserGroupInformation.createProxyUser( - user, UserGroupInformation.getCurrentUser()); - } catch (Exception e) { - logger.error("Error in getCurrentUser", e); - StringBuilder stringBuilder = new StringBuilder(); - stringBuilder.append(e.getMessage()).append("\n"); - stringBuilder.append(e.getCause()); - throw new InterpreterException(stringBuilder.toString()); - } - - final String poolKey = propertyKey; - try { - connection = ugi.doAs(new PrivilegedExceptionAction() { - @Override - public Connection run() throws Exception { - return getConnectionFromPool(url, user, poolKey, properties); - } - }); - } catch (Exception e) { - logger.error("Error in doAs", e); - StringBuilder stringBuilder = new StringBuilder(); - stringBuilder.append(e.getMessage()).append("\n"); - stringBuilder.append(e.getCause()); - throw new InterpreterException(stringBuilder.toString()); - } + UserGroupInformation ugi = null; + try { + ugi = UserGroupInformation.createProxyUser( + user, UserGroupInformation.getCurrentUser()); + } catch (Exception e) { + logger.error("Error in getCurrentUser", e); + StringBuilder stringBuilder = new StringBuilder(); + stringBuilder.append(e.getMessage()).append("\n"); + stringBuilder.append(e.getCause()); + throw new InterpreterException(stringBuilder.toString()); + } + + final String poolKey = propertyKey; + try { + connection = ugi.doAs(new PrivilegedExceptionAction() { + @Override + public Connection run() throws Exception { + return getConnectionFromPool(connectionUrl, user, poolKey, properties); + } + }); + } catch (Exception e) { + logger.error("Error in doAs", e); + StringBuilder stringBuilder = new StringBuilder(); + stringBuilder.append(e.getMessage()).append("\n"); + stringBuilder.append(e.getCause()); + throw new InterpreterException(stringBuilder.toString()); } } break; default: - StringBuilder connectionUrl = new StringBuilder(url); - appendProxyUserToURL(connectionUrl, user); - connection = getConnectionFromPool(connectionUrl.toString(), - user, propertyKey, properties); + connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } } return connection; } - private void appendProxyUserToURL(StringBuilder connectionUrl, String user) { - if (connectionUrl.toString().trim().startsWith("jdbc:hive")) { + private String appendProxyUserToURL(String url, String user, String propertyKey) { + StringBuilder connectionUrl = new StringBuilder(url); + + if (user != null && !user.equals("anonymous") && + basePropretiesMap.get(propertyKey).containsKey("proxy.user.property")) { + Integer lastIndexOfUrl = connectionUrl.indexOf("?"); if (lastIndexOfUrl == -1) { lastIndexOfUrl = connectionUrl.length(); } - - if (user != null && !user.equals("anonymous") && - !"false".equalsIgnoreCase(property.getProperty("hive.proxy.user"))) { - logger.info("Using hive proxy user as :" + user); - connectionUrl.insert(lastIndexOfUrl, ";hive.server2.proxy.user=" + user + ";"); - } + logger.info("Using hive proxy user as :" + user); + connectionUrl.insert(lastIndexOfUrl, ";" + + basePropretiesMap.get(propertyKey).getProperty("proxy.user.property") + "=" + user + ";"); } + + return connectionUrl.toString(); } private String getPassword(Properties properties) throws IOException { From 1802b453fb7a8b4b23726382b497a7591973e66d Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Mon, 24 Apr 2017 17:10:46 +0530 Subject: [PATCH 08/13] remove hive string from logger --- .../main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 1b65013dcd5..69228404759 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -409,7 +409,9 @@ private String appendProxyUserToURL(String url, String user, String propertyKey) if (lastIndexOfUrl == -1) { lastIndexOfUrl = connectionUrl.length(); } - logger.info("Using hive proxy user as :" + user); + logger.info("Using proxy user as :" + user); + logger.info("Using proxy property for user as :" + + basePropretiesMap.get(propertyKey).getProperty("proxy.user.property")); connectionUrl.insert(lastIndexOfUrl, ";" + basePropretiesMap.get(propertyKey).getProperty("proxy.user.property") + "=" + user + ";"); } From e2bdbb2ad9fed0de4dcbd1adf4aa9a4050d5835f Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Wed, 26 Apr 2017 12:06:07 +0530 Subject: [PATCH 09/13] include e as inner exception --- .../java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 10 ++-------- .../zeppelin/interpreter/InterpreterException.java | 4 ++++ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index b69df9ddcb5..e60f07345ee 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -367,10 +367,7 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret user, UserGroupInformation.getCurrentUser()); } catch (Exception e) { logger.error("Error in getCurrentUser", e); - StringBuilder stringBuilder = new StringBuilder(); - stringBuilder.append(e.getMessage()).append("\n"); - stringBuilder.append(e.getCause()); - throw new InterpreterException(stringBuilder.toString()); + throw new InterpreterException("Error in getCurrentUser", e); } final String poolKey = propertyKey; @@ -383,10 +380,7 @@ public Connection run() throws Exception { }); } catch (Exception e) { logger.error("Error in doAs", e); - StringBuilder stringBuilder = new StringBuilder(); - stringBuilder.append(e.getMessage()).append("\n"); - stringBuilder.append(e.getCause()); - throw new InterpreterException(stringBuilder.toString()); + throw new InterpreterException("Error in doAs", e); } } break; diff --git a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/interpreter/InterpreterException.java b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/interpreter/InterpreterException.java index 30c1c0aae08..ebd184ecfbd 100644 --- a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/interpreter/InterpreterException.java +++ b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/interpreter/InterpreterException.java @@ -31,4 +31,8 @@ public InterpreterException(String m) { super(m); } + public InterpreterException(String msg, Throwable t) { + super(msg, t); + } + } From a348e969a3a20883be1de9b09317eaa78441f21d Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Wed, 26 Apr 2017 12:23:30 +0530 Subject: [PATCH 10/13] revert "zeppelin.jdbc.auth.kerberos.proxy.enable" behaviour --- docs/interpreter/jdbc.md | 4 ++ .../apache/zeppelin/jdbc/JDBCInterpreter.java | 47 ++++++++++--------- 2 files changed, 30 insertions(+), 21 deletions(-) diff --git a/docs/interpreter/jdbc.md b/docs/interpreter/jdbc.md index dbea9f17d82..54a0f25e069 100644 --- a/docs/interpreter/jdbc.md +++ b/docs/interpreter/jdbc.md @@ -169,6 +169,10 @@ There are more JDBC interpreter properties you can specify like below. zeppelin.jdbc.keytab.location The path to the keytab file + + zeppelin.jdbc.auth.kerberos.proxy.enable + When auth type is Kerberos, enable/disable Kerberos proxy with the login user to get the connection. Default value is true. + default.jceks.file jceks store path (e.g: jceks://file/tmp/zeppelin.jceks) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index e60f07345ee..98e349b891d 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -358,29 +358,34 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret JDBCSecurityImpl.createSecureConfiguration(property, authType); switch (authType) { case KERBEROS: - if (url.trim().startsWith("jdbc:hive")) { + if (user == null || "false".equalsIgnoreCase( + property.getProperty("zeppelin.jdbc.auth.kerberos.proxy.enable"))) { connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { - UserGroupInformation ugi = null; - try { - ugi = UserGroupInformation.createProxyUser( - user, UserGroupInformation.getCurrentUser()); - } catch (Exception e) { - logger.error("Error in getCurrentUser", e); - throw new InterpreterException("Error in getCurrentUser", e); - } - - final String poolKey = propertyKey; - try { - connection = ugi.doAs(new PrivilegedExceptionAction() { - @Override - public Connection run() throws Exception { - return getConnectionFromPool(connectionUrl, user, poolKey, properties); - } - }); - } catch (Exception e) { - logger.error("Error in doAs", e); - throw new InterpreterException("Error in doAs", e); + if (url.trim().startsWith("jdbc:hive")) { + connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); + } else { + UserGroupInformation ugi = null; + try { + ugi = UserGroupInformation.createProxyUser( + user, UserGroupInformation.getCurrentUser()); + } catch (Exception e) { + logger.error("Error in getCurrentUser", e); + throw new InterpreterException("Error in getCurrentUser", e); + } + + final String poolKey = propertyKey; + try { + connection = ugi.doAs(new PrivilegedExceptionAction() { + @Override + public Connection run() throws Exception { + return getConnectionFromPool(connectionUrl, user, poolKey, properties); + } + }); + } catch (Exception e) { + logger.error("Error in doAs", e); + throw new InterpreterException("Error in doAs", e); + } } } break; From 9fee9d2a9e476769b5d28a50d17f3a7ad38fc453 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Fri, 28 Apr 2017 16:53:41 +0530 Subject: [PATCH 11/13] replace hive with generic method --- .../src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 98e349b891d..714fa5a1a80 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -362,7 +362,7 @@ public Connection getConnection(String propertyKey, InterpreterContext interpret property.getProperty("zeppelin.jdbc.auth.kerberos.proxy.enable"))) { connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { - if (url.trim().startsWith("jdbc:hive")) { + if (basePropretiesMap.get(propertyKey).containsKey("proxy.user.property")) { connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { UserGroupInformation ugi = null; From 45c90a8e2c3383ea1ab21c41379365f178628216 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Sun, 30 Apr 2017 00:01:11 +0530 Subject: [PATCH 12/13] improve doc --- docs/interpreter/jdbc.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/docs/interpreter/jdbc.md b/docs/interpreter/jdbc.md index 54a0f25e069..d33220f7f98 100644 --- a/docs/interpreter/jdbc.md +++ b/docs/interpreter/jdbc.md @@ -508,12 +508,10 @@ Here are some examples you can refer to. Including the below connectors, you can default.proxy.user.property - hive.server2.proxy.user + Example value: hive.server2.proxy.user -Connection to Hive JDBC with a proxy user can be disabled with `hive.proxy.user` property (set to true by default) - [Apache Hive 1 JDBC Driver Docs](https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBC) [Apache Hive 2 JDBC Driver Docs](https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBC) @@ -540,7 +538,19 @@ When Zeppelin server is running with authentication enabled, then the interprete To enable this set following: - `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. - - `default.proxy.user.property` as `hive.server2.proxy.user` + - `{propertyKey}.proxy.user.property` as `hive.server2.proxy.user` + Example configuration + + *Properties* + + | name | value | + |:------------------------- |:--------------------------------------------------------------------------------------------------| + | hive.driver | org.apache.hive.jdbc.HiveDriver | + | hive.password | | + | hive.url | jdbc:hive2://hive-server-host:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2 | + | hive.proxy.user.property | hive.proxy.user.property | + | zeppelin.jdbc.auth.type | SIMPLE | + ### Apache Phoenix From 84b5e55b2821b858b75d6935261934b648966563 Mon Sep 17 00:00:00 2001 From: Prabhjyot Singh Date: Sun, 30 Apr 2017 00:15:19 +0530 Subject: [PATCH 13/13] add logger.warn for hive and impersonation --- docs/interpreter/jdbc.md | 2 +- .../main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/interpreter/jdbc.md b/docs/interpreter/jdbc.md index d33220f7f98..57bee4dcff4 100644 --- a/docs/interpreter/jdbc.md +++ b/docs/interpreter/jdbc.md @@ -538,7 +538,7 @@ When Zeppelin server is running with authentication enabled, then the interprete To enable this set following: - `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. - - `{propertyKey}.proxy.user.property` as `hive.server2.proxy.user` + - `${prefix}.proxy.user.property` as `hive.server2.proxy.user` Example configuration *Properties* diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java index 714fa5a1a80..e4040296b2d 100644 --- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java +++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java @@ -413,6 +413,9 @@ private String appendProxyUserToURL(String url, String user, String propertyKey) basePropretiesMap.get(propertyKey).getProperty("proxy.user.property")); connectionUrl.insert(lastIndexOfUrl, ";" + basePropretiesMap.get(propertyKey).getProperty("proxy.user.property") + "=" + user + ";"); + } else if (user != null && !user.equals("anonymous") && url.contains("hive")) { + logger.warn("User impersonation for hive has changed please refer: http://zeppelin.apache" + + ".org/docs/latest/interpreter/jdbc.html#apache-hive"); } return connectionUrl.toString();