配置HiveServer2的安全策略之自定义用户名密码验证

 

 

具体从网上看

 

http://doc.mapr.com/display/MapR/Using+HiveServer2#UsingHiveServer2-ConfiguringCustomAuthentication

 

• • LDAP Authentication using OpenLDAP
  • Setting up Authentication with Pluggable Access Modules
  • Configuring Custom Authentication

一共提供了三种安全认证方式，我们通常采用的为第三种自定义的方式。

 

To implement custom authentication for HiveServer2, create a custom Authenticator class derived from the following interface:

从这段话看出来我们要实现一个接口：PasswdAuthenticationProvider （org.apache.hive.service.auth.PasswdAuthenticationProvider）我们来看看这个接口

 

 

 

public interface PasswdAuthenticationProvider {
  /**
   * The Authenticate method is called by the HiveServer2 authentication layer
   * to authenticate users for their requests.
   * If a user is to be granted, return nothing/throw nothing.
   * When a user is to be disallowed, throw an appropriate {@link AuthenticationException}.
   *
   * For an example implementation, see {@link LdapAuthenticationProviderImpl}.
   *
   * @param user - The username received over the connection request
   * @param password - The password received over the connection request
   * @throws AuthenticationException - When a user is found to be
   * invalid by the implementation
   */
  void Authenticate(String user, String password) throws AuthenticationException;
}

 

 

 

有一个方法要实现，实现了这个接口就可以自定义验证用户名密码了。代码不是太多

 

 

package org.apache.hadoop.hive.contrib.auth;

import javax.security.sasl.AuthenticationException;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.contrib.utils.MD5Util;
import org.apache.hive.service.auth.PasswdAuthenticationProvider;


public class XXXXPasswdAuthenticator implements PasswdAuthenticationProvider,Configurable {
	private static final Log LOG=LogFactory.getLog(XXXXPasswdAuthenticator.class);
	private Configuration conf=null;
	
	private static final String HIVE_JDBC_PASSWD_AUTH_PREFIX="hive.jdbc_passwd.auth.%s";
	
	public XXXXPasswdAuthenticator() {
		init();
	}
	
	/**
	 * 
	 */
	public void init(){
		
	}
	
	@Override
	public void Authenticate(String userName, String passwd)
			throws AuthenticationException {
		LOG.info("user: "+userName+" try login.");
		
		String passwdMD5 = getConf().get(String.format(HIVE_JDBC_PASSWD_AUTH_PREFIX, userName));
		
		if(passwdMD5==null){
			String message = "user's ACL configration is not found. user:"+userName;
			LOG.info(message);
			throw new AuthenticationException(message);
		}
		
		String md5 = MD5Util.md5Hex(passwd);
		
		if(!md5.equals(passwdMD5)){
			String message = "user name and password is mismatch. user:"+userName;
			throw new AuthenticationException(message);
		}
		
		LOG.info("user "+userName+" login system successfully.");
		
	}

	@Override
	public Configuration getConf() {
		if(conf==null){
			this.conf=new Configuration();
		}
		
		return conf;
	}

	@Override
	public void setConf(Configuration arg0) {
		this.conf=arg0;
	}

}

 

Add the following properties to the hive-site.xml file, then restart Hiveserver2:

开启自定义验证配置

  

<property>
    <name>hive.server2.authentication</name>
    <value>CUSTOM</value>
  </property>

  <property>
    <name>hive.server2.custom.authentication.class</name>
    <value>org.apache.hadoop.hive.contrib.auth.XXXXPasswdAuthenticator</value>
  </property>

 

相信看懂代码的人应该明白怎么做了，我们要把用户名密码配置到hive-site.xml配置文件中。

 

<property>
    <name>hive.jdbc_passwd.auth.hive_r</name>
    <value>b531c271de4552ca2dec510d318c87f9</value>
    <description/>
</property>

 多个用户可以添加多个property，里面配置的即用户名密码了。

 

以上代码打包jar包，上传到hive/lib下即可实现HiveServer2的安全策略之自定义用户名密码验证了。