配置HiveServer2的安全策略之自定义用户名密码验证
- - 互联网 - ITeye博客一共提供了三种安全认证方式,我们通常采用的为第三种自定义的方式. 从这段话看出来我们要实现一个接口:PasswdAuthenticationProvider (org.apache.hive.service.auth.PasswdAuthenticationProvider)我们来看看这个接口. 有一个方法要实现,实现了这个接口就可以自定义验证用户名密码了.
具体从网上看
http://doc.mapr.com/display/MapR/Using+HiveServer2#UsingHiveServer2-ConfiguringCustomAuthentication
一共提供了三种安全认证方式,我们通常采用的为第三种自定义的方式。
To implement custom authentication for HiveServer2, create a custom Authenticator class derived from the following interface:
从这段话看出来我们要实现一个接口:PasswdAuthenticationProvider (org.apache.hive.service.auth.PasswdAuthenticationProvider)我们来看看这个接口
public interface PasswdAuthenticationProvider { /** * The Authenticate method is called by the HiveServer2 authentication layer * to authenticate users for their requests. * If a user is to be granted, return nothing/throw nothing. * When a user is to be disallowed, throw an appropriate {@link AuthenticationException}. * * For an example implementation, see {@link LdapAuthenticationProviderImpl}. * * @param user - The username received over the connection request * @param password - The password received over the connection request * @throws AuthenticationException - When a user is found to be * invalid by the implementation */ void Authenticate(String user, String password) throws AuthenticationException; }
有一个方法要实现,实现了这个接口就可以自定义验证用户名密码了。代码不是太多
package org.apache.hadoop.hive.contrib.auth; import javax.security.sasl.AuthenticationException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configurable; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.contrib.utils.MD5Util; import org.apache.hive.service.auth.PasswdAuthenticationProvider; public class XXXXPasswdAuthenticator implements PasswdAuthenticationProvider,Configurable { private static final Log LOG=LogFactory.getLog(XXXXPasswdAuthenticator.class); private Configuration conf=null; private static final String HIVE_JDBC_PASSWD_AUTH_PREFIX="hive.jdbc_passwd.auth.%s"; public XXXXPasswdAuthenticator() { init(); } /** * */ public void init(){ } @Override public void Authenticate(String userName, String passwd) throws AuthenticationException { LOG.info("user: "+userName+" try login."); String passwdMD5 = getConf().get(String.format(HIVE_JDBC_PASSWD_AUTH_PREFIX, userName)); if(passwdMD5==null){ String message = "user's ACL configration is not found. user:"+userName; LOG.info(message); throw new AuthenticationException(message); } String md5 = MD5Util.md5Hex(passwd); if(!md5.equals(passwdMD5)){ String message = "user name and password is mismatch. user:"+userName; throw new AuthenticationException(message); } LOG.info("user "+userName+" login system successfully."); } @Override public Configuration getConf() { if(conf==null){ this.conf=new Configuration(); } return conf; } @Override public void setConf(Configuration arg0) { this.conf=arg0; } }
Add the following properties to the hive-site.xml file, then restart Hiveserver2:
开启自定义验证配置
<property> <name>hive.server2.authentication</name> <value>CUSTOM</value> </property> <property> <name>hive.server2.custom.authentication.class</name> <value>org.apache.hadoop.hive.contrib.auth.XXXXPasswdAuthenticator</value> </property>
相信看懂代码的人应该明白怎么做了,我们要把用户名密码配置到hive-site.xml配置文件中。
<property> <name>hive.jdbc_passwd.auth.hive_r</name> <value>b531c271de4552ca2dec510d318c87f9</value> <description/> </property>
多个用户可以添加多个property,里面配置的即用户名密码了。
以上代码打包jar包,上传到hive/lib下即可实现HiveServer2的安全策略之自定义用户名密码验证了。