Hive Meta Store impersonation access

pom.xml

@@ -1450,6 +1450,12 @@
                 <version>1.3.5-4</version>
             </dependency>
 
+            <dependency>
+                <groupId>commons-codec</groupId>
+                <artifactId>commons-codec</artifactId>
+                <version>1.10</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.zookeeper</groupId>
                 <artifactId>zookeeper</artifactId>

presto-docs/src/main/sphinx/connector/hive-security.rst

@@ -131,6 +131,8 @@ Property Name                                      Description
                                                    to the Hive metastore service.
 
 ``hive.metastore.client.keytab``                   Hive metastore client keytab location.
+``hive.metastore.impersonation.enabled``           Enable metastore end-user impersonation.
+``hive.metastore.impersonation.user``              Default impersonation user when communicating with Hive Metastore
 ================================================== ============================================================
 
 ``hive.metastore.authentication.type``

presto-docs/src/main/sphinx/connector/hive.rst

@@ -184,6 +184,7 @@ Property Name                                      Description
 
 ``hive.s3select-pushdown.max-connections``         Maximum number of simultaneously open connections to S3 for  500
                                                    S3SelectPushdown.
+``hive.metastore.multiple-instance.enabled``       Enable load balancing between multiple Metastore instances
 ================================================== ============================================================ ============
 
 .. _s3selectpushdown:

presto-hive-hadoop2/bin/run_hive_tests.sh

@@ -7,6 +7,11 @@ set -euo pipefail -x
 cleanup_docker_containers
 start_docker_containers
 
+# restart HMS to pickup memory settings
+exec_in_hadoop_master_container cp /etc/hadoop/conf/hive-env.sh /etc/hive/conf/hive-env.sh
+exec_in_hadoop_master_container supervisorctl restart hive-metastore
+retry check_hadoop
+
 # generate test data
 exec_in_hadoop_master_container su hive -s /usr/bin/hive -f /files/sql/create-test.sql
 exec_in_hadoop_master_container su hive -s /usr/bin/hive -f /files/sql/create-test-hive13.sql

presto-hive-hadoop2/conf/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - ../../presto-hive/src/test/sql:/files/sql:ro
       - ./files/words:/usr/share/dict/words:ro
       - ./files/core-site.xml.s3-template:/etc/hadoop/conf/core-site.xml.s3-template:ro
+      - ./files/hive-env.sh:/etc/hadoop/conf/hive-env.sh:ro
       - ./files/test1.csv:/tmp/test1.csv:ro
       - ./files/test1.csv.gz:/tmp/test1.csv.gz:ro
       - ./files/test1.csv.lz4:/tmp/test1.csv.lz4:ro

presto-hive-hadoop2/conf/files/hive-env.sh

@@ -0,0 +1 @@
+export HADOOP_OPTS="$HADOOP_OPTS -Xmx1024m"

presto-hive-metastore/src/main/java/com/facebook/presto/hive/MetastoreClientConfig.java

@@ -14,6 +14,7 @@
 package com.facebook.presto.hive;
 
 import com.facebook.airlift.configuration.Config;
+import com.facebook.airlift.configuration.ConfigDescription;
 import com.google.common.net.HostAndPort;
 import io.airlift.units.Duration;
 import io.airlift.units.MinDuration;
@@ -41,6 +42,8 @@ public class MetastoreClientConfig
     private String recordingPath;
     private boolean replay;
     private Duration recordingDuration = new Duration(0, MINUTES);
+    private String metastoreDefaultImpersonationUser = "";
+    private boolean metastoreImpersonationEnabled;
 
     public HostAndPort getMetastoreSocksProxy()
     {
@@ -194,4 +197,30 @@ public MetastoreClientConfig setRequireHadoopNative(boolean requireHadoopNative)
         this.requireHadoopNative = requireHadoopNative;
         return this;
     }
+
+    public boolean isMetastoreImpersonationEnabled()
+    {
+        return metastoreImpersonationEnabled;
+    }
+
+    @Config("hive.metastore.impersonation.enabled")
+    @ConfigDescription("Should Presto user be impersonated when communicating with Hive Metastore")
+    public MetastoreClientConfig setMetastoreImpersonationEnabled(boolean metastoreImpersonationEnabled)
+    {
+        this.metastoreImpersonationEnabled = metastoreImpersonationEnabled;
+        return this;
+    }
+
+    public String getMetastoreDefaultImpersonationUser()
+    {
+        return metastoreDefaultImpersonationUser;
+    }
+
+    @Config("hive.metastore.impersonation.user")
+    @ConfigDescription("Default impersonation user when communicating with Hive Metastore")
+    public MetastoreClientConfig setMetastoreDefaultImpersonationUser(String metastoreDefaultImpersonationUser)
+    {
+        this.metastoreDefaultImpersonationUser = metastoreDefaultImpersonationUser;
+        return this;
+    }
 }

presto-hive-metastore/src/main/java/com/facebook/presto/hive/authentication/HiveMetastoreAuthentication.java

@@ -18,4 +18,17 @@
 public interface HiveMetastoreAuthentication
 {
     TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost);
+
+    TTransport authenticateWithToken(TTransport rawTransport, String tokenString);
+
+    <R, E extends Exception> R doAs(String user, GenericExceptionAction<R, E> action)
+            throws E;
+
+    default void doAs(String user, Runnable action)
+    {
+        doAs(user, () -> {
+            action.run();
+            return null;
+        });
+    }
 }

presto-hive-metastore/src/main/java/com/facebook/presto/hive/authentication/NoHiveMetastoreAuthentication.java

@@ -23,4 +23,17 @@ public TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost
     {
         return rawTransport;
     }
+
+    @Override
+    public TTransport authenticateWithToken(TTransport rawTransport, String tokenString)
+    {
+        return rawTransport;
+    }
+
+    @Override
+    public <R, E extends Exception> R doAs(String user, GenericExceptionAction<R, E> action)
+            throws E
+    {
+        return action.run();
+    }
 }