Add basic data

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/AnonymousAuthenticationProviderImpl.java

@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.sql.thriftserver.auth;
+
+import javax.security.sasl.AuthenticationException;
+
+/**
+ * This authentication provider allows any combination of username and password.
+ */
+public class AnonymousAuthenticationProviderImpl implements PasswdAuthenticationProvider {
+
+  @Override
+  public void Authenticate(String user, String password) throws AuthenticationException {
+    // no-op authentication
+  }
+
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/AuthenticationProviderFactory.java

@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.sql.thriftserver.auth;
+
+import javax.security.sasl.AuthenticationException;
+
+/**
+ * This class helps select a {@link PasswdAuthenticationProvider} for a given {@code AuthMethod}.
+ */
+public final class AuthenticationProviderFactory {
+
+  public enum AuthMethods {
+    LDAP("LDAP"),
+    PAM("PAM"),
+    CUSTOM("CUSTOM"),
+    NONE("NONE");
+
+    private final String authMethod;
+
+    AuthMethods(String authMethod) {
+      this.authMethod = authMethod;
+    }
+
+    public String getAuthMethod() {
+      return authMethod;
+    }
+
+    public static AuthMethods getValidAuthMethod(String authMethodStr)
+      throws AuthenticationException {
+      for (AuthMethods auth : AuthMethods.values()) {
+        if (authMethodStr.equals(auth.getAuthMethod())) {
+          return auth;
+        }
+      }
+      throw new AuthenticationException("Not a valid authentication method");
+    }
+  }
+
+  private AuthenticationProviderFactory() {
+  }
+
+  public static PasswdAuthenticationProvider getAuthenticationProvider(AuthMethods authMethod)
+    throws AuthenticationException {
+    if (authMethod == AuthMethods.LDAP) {
+      return new LdapAuthenticationProviderImpl();
+    } else if (authMethod == AuthMethods.PAM) {
+      return new PamAuthenticationProviderImpl();
+    } else if (authMethod == AuthMethods.CUSTOM) {
+      return new CustomAuthenticationProviderImpl();
+    } else if (authMethod == AuthMethods.NONE) {
+      return new AnonymousAuthenticationProviderImpl();
+    } else {
+      throw new AuthenticationException("Unsupported authentication method");
+    }
+  }
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/CustomAuthenticationProviderImpl.java

@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.sql.thriftserver.auth;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.util.ReflectionUtils;
+
+import javax.security.sasl.AuthenticationException;
+
+/**
+ * This authentication provider implements the {@code CUSTOM} authentication. It allows a {@link
+ * PasswdAuthenticationProvider} to be specified at configuration time which may additionally
+ * implement {@link org.apache.hadoop.conf.Configurable Configurable} to grab Hive's {@link
+ * org.apache.hadoop.conf.Configuration Configuration}.
+ */
+public class CustomAuthenticationProviderImpl implements PasswdAuthenticationProvider {
+
+  private final PasswdAuthenticationProvider customProvider;
+
+  @SuppressWarnings("unchecked")
+  CustomAuthenticationProviderImpl() {
+    HiveConf conf = new HiveConf();
+    Class<? extends PasswdAuthenticationProvider> customHandlerClass =
+      (Class<? extends PasswdAuthenticationProvider>) conf.getClass(
+        HiveConf.ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
+        PasswdAuthenticationProvider.class);
+    customProvider = ReflectionUtils.newInstance(customHandlerClass, conf);
+  }
+
+  @Override
+  public void Authenticate(String user, String password) throws AuthenticationException {
+    customProvider.Authenticate(user, password);
+  }
+
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/HttpAuthenticationException.java

@@ -0,0 +1,43 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+
+package org.apache.spark.sql.thriftserver.auth;
+
+public class HttpAuthenticationException extends Exception {
+
+  private static final long serialVersionUID = 0;
+
+  /**
+   * @param cause original exception
+   */
+  public HttpAuthenticationException(Throwable cause) {
+    super(cause);
+  }
+
+  /**
+   * @param msg exception message
+   */
+  public HttpAuthenticationException(String msg) {
+    super(msg);
+  }
+
+  /**
+   * @param msg   exception message
+   * @param cause original exception
+   */
+  public HttpAuthenticationException(String msg, Throwable cause) {
+    super(msg, cause);
+  }
+
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/LdapAuthenticationProviderImpl.java

@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.sql.thriftserver.auth;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.spark.sql.thriftserver.ServiceUtils;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.directory.InitialDirContext;
+import javax.security.sasl.AuthenticationException;
+import java.util.Hashtable;
+
+public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvider {
+
+  private final String ldapURL;
+  private final String baseDN;
+  private final String ldapDomain;
+
+  LdapAuthenticationProviderImpl() {
+    HiveConf conf = new HiveConf();
+    ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
+    baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
+    ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
+  }
+
+  @Override
+  public void Authenticate(String user, String password) throws AuthenticationException {
+
+    Hashtable<String, Object> env = new Hashtable<String, Object>();
+    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+    env.put(Context.PROVIDER_URL, ldapURL);
+
+    // If the domain is available in the config, then append it unless domain is
+    // already part of the username. LDAP providers like Active Directory use a
+    // fully qualified user name like [email protected].
+    if (!hasDomain(user) && ldapDomain != null) {
+      user  = user + "@" + ldapDomain;
+    }
+
+    if (password == null || password.isEmpty() || password.getBytes()[0] == 0) {
+      throw new AuthenticationException("Error validating LDAP user:" +
+          " a null or blank password has been provided");
+    }
+
+    // setup the security principal
+    String bindDN;
+    if (baseDN == null) {
+      bindDN = user;
+    } else {
+      bindDN = "uid=" + user + "," + baseDN;
+    }
+    env.put(Context.SECURITY_AUTHENTICATION, "simple");
+    env.put(Context.SECURITY_PRINCIPAL, bindDN);
+    env.put(Context.SECURITY_CREDENTIALS, password);
+
+    try {
+      // Create initial context
+      Context ctx = new InitialDirContext(env);
+      ctx.close();
+    } catch (NamingException e) {
+      throw new AuthenticationException("Error validating LDAP user", e);
+    }
+  }
+
+  private boolean hasDomain(String userName) {
+    return (ServiceUtils.indexOfDomainMatch(userName) > 0);
+  }
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/PamAuthenticationProviderImpl.java

@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.sql.thriftserver.auth;
+
+import net.sf.jpam.Pam;
+import org.apache.hadoop.hive.conf.HiveConf;
+
+import javax.security.sasl.AuthenticationException;
+
+public class PamAuthenticationProviderImpl implements PasswdAuthenticationProvider {
+
+  private final String pamServiceNames;
+
+  PamAuthenticationProviderImpl() {
+    HiveConf conf = new HiveConf();
+    pamServiceNames = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PAM_SERVICES);
+  }
+
+  @Override
+  public void Authenticate(String user, String password) throws AuthenticationException {
+
+    if (pamServiceNames == null || pamServiceNames.trim().isEmpty()) {
+      throw new AuthenticationException("No PAM services are set.");
+    }
+
+    String[] pamServices = pamServiceNames.split(",");
+    for (String pamService : pamServices) {
+      Pam pam = new Pam(pamService);
+      boolean isAuthenticated = pam.authenticateSuccessful(user, password);
+      if (!isAuthenticated) {
+        throw new AuthenticationException(
+          "Error authenticating with the PAM service: " + pamService);
+      }
+    }
+  }
+}

sql/thriftserver/src/main/java/org/apache/spark/sql/thriftserver/auth/PasswdAuthenticationProvider.java

@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.sql.thriftserver.auth;
+
+import javax.security.sasl.AuthenticationException;
+
+public interface PasswdAuthenticationProvider {
+
+  /**
+   * The Authenticate method is called by the HiveServer2 authentication layer
+   * to authenticate users for their requests.
+   * If a user is to be granted, return nothing/throw nothing.
+   * When a user is to be disallowed, throw an appropriate {@link AuthenticationException}.
+   *
+   * For an example implementation, see {@link LdapAuthenticationProviderImpl}.
+   *
+   * @param user     The username received over the connection request
+   * @param password The password received over the connection request
+   *
+   * @throws AuthenticationException When a user is found to be
+   *                                 invalid by the implementation
+   */
+  void Authenticate(String user, String password) throws AuthenticationException;
+}