AMBARI-14503. Hive views does not honour auth_to_local rules when running queries

. (Gaurav Nagar via yusaku)

ambari-server/pom.xml

@@ -47,6 +47,7 @@
     <stacksSrcLocation>target/classes/stacks/${stack.distribution}</stacksSrcLocation>
     <tarballResourcesFolder>src/main/resources</tarballResourcesFolder>
     <skipPythonTests>false</skipPythonTests>
+    <hadoop.version>2.7.1</hadoop.version>
   </properties>
   <build>
     <plugins>
@@ -2021,6 +2022,11 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-auth</artifactId>
+      <version>${hadoop.version}</version>
+    </dependency>
   </dependencies>
 
   <pluginRepositories>

ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java

@@ -48,9 +48,13 @@ import org.apache.ambari.view.events.Event;
 import org.apache.ambari.view.events.Listener;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.directory.api.util.Strings;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.Velocity;
 import org.apache.velocity.exception.ParseErrorException;
+import sun.security.krb5.KrbException;
 
 import java.io.StringWriter;
 import java.io.Writer;
@@ -71,6 +75,10 @@ public class ViewContextImpl implements ViewContext, ViewController {
    */
   private static final Log LOG = LogFactory.getLog(ViewContextImpl.class);
 
+  public static final String HADOOP_SECURITY_AUTH_TO_LOCAL = "hadoop.security.auth_to_local";
+  public static final String CORE_SITE = "core-site";
+  public static final String HDFS_AUTH_TO_LOCAL = "hdfs.auth_to_local";
+
   /**
    * The associated view definition.
    */
@@ -218,6 +226,36 @@ public class ViewContextImpl implements ViewContext, ViewController {
 
   @Override
   public String getUsername() {
+    String shortName = getLoggedinUser();
+    try {
+      String authToLocalRules = getAuthToLocalRules();
+      //Getting ambari server realm. Ideally this should come from user
+      String defaultRealm = KerberosUtil.getDefaultRealm();
+      if(Strings.isNotEmpty(authToLocalRules) && Strings.isNotEmpty(defaultRealm)){
+        synchronized (KerberosName.class){
+          KerberosName.setRules(authToLocalRules);
+          shortName = new KerberosName(shortName+"@"+defaultRealm).getShortName();
+        }
+      }
+    } catch (Exception e) {
+      LOG.error("Failed to get username",e);
+    }
+    return shortName;
+  }
+
+  private String getAuthToLocalRules(){
+    Cluster cluster = getCluster();
+    String authToLocalRules = null;
+    if (cluster != null) {
+      authToLocalRules = cluster.getConfigurationValue(CORE_SITE, HADOOP_SECURITY_AUTH_TO_LOCAL);
+    }else if(viewInstanceEntity != null) {
+      authToLocalRules = viewInstanceEntity.getPropertyMap().get(HDFS_AUTH_TO_LOCAL);
+    }
+    return authToLocalRules;
+  }
+
+  @Override
+  public String getLoggedinUser(){
     return viewInstanceEntity != null ? viewInstanceEntity.getUsername() : null;
   }
 
@@ -465,6 +503,13 @@ public class ViewContextImpl implements ViewContext, ViewController {
             return viewContext.getInstanceName();
           }
         });
+    context.put("loggedinUser",
+            new ParameterResolver() {
+              @Override
+              protected String getValue() {
+                return viewContext.getLoggedinUser();
+              }
+            });
     return context;
   }
 

ambari-views/src/main/java/org/apache/ambari/view/ViewContext.java

@@ -36,12 +36,19 @@ public interface ViewContext {
   public static final String CONTEXT_ATTRIBUTE = "ambari-view-context";
 
   /**
-   * Get the current user name.
+   * Get the current user name after auth_to_local conversion
    *
    * @return the current user name
    */
   public String getUsername();
 
+  /**
+   * Get the current ambari user.
+   *
+   * @return the current user name
+   */
+  public String getLoggedinUser();
+
   /**
    * Determine whether or not the access specified by the given permission name
    * is permitted for the given user.

contrib/views/files/src/main/resources/view.xml

@@ -87,6 +87,13 @@
         <required>false</required>
         <cluster-config>fake</cluster-config>
     </parameter>
+    <parameter>
+        <name>hdfs.auth_to_local</name>
+        <description>Auth to Local Configuration</description>
+        <label>Auth To Local</label>
+        <required>false</required>
+        <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config>
+    </parameter>
 
     <parameter>
         <name>webhdfs.username</name>

contrib/views/hive/src/main/resources/view.xml

@@ -166,6 +166,14 @@
         <required>false</required>
     </parameter>
 
+    <parameter>
+        <name>hdfs.auth_to_local</name>
+        <description>Auth to Local Configuration</description>
+        <label>Auth To Local</label>
+        <required>false</required>
+        <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config>
+    </parameter>
+
     <!-- General Configs -->
 
     <parameter>

contrib/views/pig/src/main/resources/view.xml

@@ -107,6 +107,14 @@
         <required>false</required>
     </parameter>
 
+    <parameter>
+        <name>hdfs.auth_to_local</name>
+        <description>Auth to Local Configuration</description>
+        <label>Auth To Local</label>
+        <required>false</required>
+        <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config>
+    </parameter>
+
     <!-- WebHCat Configs -->
     <parameter>
         <name>webhcat.hostname</name>
@@ -133,6 +141,7 @@
         <required>false</required>
     </parameter>
 
+
     <!-- General Configs -->
     <parameter>
         <name>scripts.dir</name>

contrib/views/tez/src/main/resources/view.xml

@@ -35,6 +35,13 @@ limitations under the License. Kerberos, LDAP, Custom. Binary/Htt
     <placeholder>yarn.resourcemanager.hostname:8088</placeholder>
     <cluster-config>yarn-site/yarn.resourcemanager.webapp.address</cluster-config>
   </parameter>
+  <parameter>
+    <name>hdfs.auth_to_local</name>
+    <description>Auth to Local Configuration</description>
+    <label>Auth To Local</label>
+    <required>false</required>
+    <cluster-config>core-site/hadoop.security.auth_to_local</cluster-config>
+  </parameter>
 
   <!-- The status resource exists to show the subset of properties that any user is allowed to see, not just an admin user. -->
   <resource>