private void openSession() throws SQLException {
TOpenSessionReq openReq = new TOpenSessionReq();
Map<String, String> openConf = new HashMap<String, String>();
// for remote JDBC client, try to set the conf var using 'set foo=bar'
for (Entry<String, String> hiveConf : connParams.getHiveConfs().entrySet()) {
openConf.put("set:hiveconf:" + hiveConf.getKey(), hiveConf.getValue());
}
// For remote JDBC client, try to set the hive var using 'set hivevar:key=value'
for (Entry<String, String> hiveVar : connParams.getHiveVars().entrySet()) {
openConf.put("set:hivevar:" + hiveVar.getKey(), hiveVar.getValue());
}
// switch the database
openConf.put("use:database", connParams.getDbName());
// set the session configuration
Map<String, String> sessVars = connParams.getSessionVars();
if (sessVars.containsKey(HiveAuthFactory.HS2_PROXY_USER)) {
openConf.put(HiveAuthFactory.HS2_PROXY_USER, sessVars.get(HiveAuthFactory.HS2_PROXY_USER));
}
openReq.setConfiguration(openConf);
// Store the user name in the open request in case no non-sasl authentication
if (JdbcConnectionParams.AUTH_SIMPLE.equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE))) {
openReq.setUsername(sessConfMap.get(JdbcConnectionParams.AUTH_USER));
openReq.setPassword(sessConfMap.get(JdbcConnectionParams.AUTH_PASSWD));
}
try {
TOpenSessionResp openResp = client.OpenSession(openReq);
// validate connection
Utils.verifySuccess(openResp.getStatus());
if (!supportedProtocols.contains(openResp.getServerProtocolVersion())) {
throw new TException("Unsupported Hive2 protocol");
}
protocol = openResp.getServerProtocolVersion();
sessHandle = openResp.getSessionHandle();
} catch (TException e) {
LOG.error("Error opening session", e);
throw new SQLException(
"Could not establish connection to " + jdbcUriString + ": " + e.getMessage(),
" 08S01",
e);
}
isClosed = false;
}
private boolean isKerberosAuthMode() {
return !JdbcConnectionParams.AUTH_SIMPLE.equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE))
&& sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL);
}
/**
* Create transport per the connection options Supported transport options are: - SASL based
* transports over + Kerberos + Delegation token + SSL + non-SSL - Raw (non-SASL) socket
*
* <p>Kerberos and Delegation token supports SASL QOP configurations
*
* @throws SQLException, TTransportException
*/
private TTransport createBinaryTransport() throws SQLException, TTransportException {
try {
// handle secure connection if specified
if (!JdbcConnectionParams.AUTH_SIMPLE.equals(
sessConfMap.get(JdbcConnectionParams.AUTH_TYPE))) {
// If Kerberos
Map<String, String> saslProps = new HashMap<String, String>();
SaslQOP saslQOP = SaslQOP.AUTH;
if (sessConfMap.containsKey(JdbcConnectionParams.AUTH_QOP)) {
try {
saslQOP = SaslQOP.fromString(sessConfMap.get(JdbcConnectionParams.AUTH_QOP));
} catch (IllegalArgumentException e) {
throw new SQLException(
"Invalid " + JdbcConnectionParams.AUTH_QOP + " parameter. " + e.getMessage(),
"42000",
e);
}
saslProps.put(Sasl.QOP, saslQOP.toString());
} else {
// If the client did not specify qop then just negotiate the one supported by server
saslProps.put(Sasl.QOP, "auth-conf,auth-int,auth");
}
saslProps.put(Sasl.SERVER_AUTH, "true");
if (sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL)) {
transport =
KerberosSaslHelper.getKerberosTransport(
sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL),
host,
HiveAuthFactory.getSocketTransport(host, port, loginTimeout),
saslProps,
assumeSubject);
} else {
// If there's a delegation token available then use token based connection
String tokenStr = getClientDelegationToken(sessConfMap);
if (tokenStr != null) {
transport =
KerberosSaslHelper.getTokenTransport(
tokenStr,
host,
HiveAuthFactory.getSocketTransport(host, port, loginTimeout),
saslProps);
} else {
// we are using PLAIN Sasl connection with user/password
String userName = getUserName();
String passwd = getPassword();
// Note: Thrift returns an SSL socket that is already bound to the specified host:port
// Therefore an open called on this would be a no-op later
// Hence, any TTransportException related to connecting with the peer are thrown here.
// Bubbling them up the call hierarchy so that a retry can happen in openTransport,
// if dynamic service discovery is configured.
if (isSslConnection()) {
// get SSL socket
String sslTrustStore = sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
String sslTrustStorePassword =
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
if (sslTrustStore == null || sslTrustStore.isEmpty()) {
transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout);
} else {
transport =
HiveAuthFactory.getSSLSocket(
host, port, loginTimeout, sslTrustStore, sslTrustStorePassword);
}
} else {
// get non-SSL socket transport
transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout);
}
// Overlay the SASL transport on top of the base socket transport (SSL or non-SSL)
transport = PlainSaslHelper.getPlainTransport(userName, passwd, transport);
}
}
} else {
// Raw socket connection (non-sasl)
transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout);
}
} catch (SaslException e) {
throw new SQLException(
"Could not create secure connection to " + jdbcUriString + ": " + e.getMessage(),
" 08S01",
e);
}
return transport;
}
