#[UIC-2157]:SSL hive connection support http transport mode (#274)

* feat(ssl):exposed vars for ssl

exposed vars for ssl

UIC-2157

* feat(ssl):updated curl version

updated curl version

UIC-2157

* feat(ssl):updated curl version

updated curl version

UIC-2157

* feat(ssl):updated curl version

updated curl version

UIC-2157

* feat(ssl):configure vars

configure vars

UIC-2157

* feat(ssl):configure vars  and reset jenkins file

configure vars  and reset jenkins file

UIC-2157

docker/superset_config.py

@@ -156,4 +156,8 @@ class CeleryConfig(object):
     WTF_CSRF_EXEMPT_LIST = WTF_CSRF_EXEMPT_STR.split(",")
 
 ENABLE_CHUNK_ENCODING =  boolify(get_env_variable('ENABLE_CHUNK_ENCODING',"True"))  
+# set ENABLE_SSL_HIVE_CONNECTION True to create HIVE connection in SSL and  http transport mode
+ENABLE_SSL_HIVE_CONNECTION =  boolify(get_env_variable('ENABLE_SSL_HIVE_CONNECTION',"False"))  
+# provide ca certificate file with complete path as per available on local/container for SSL/TLS connection
+CA_CERT_FILE_PATH = get_env_variable('CA_CERT_FILE_PATH','/etc/cert/ca.crt')
 

superset/db_engines/THttpTransport/THttpClientTransport.py

@@ -61,7 +61,7 @@ def set_kerberos_auth(self,mutual_authentication,
   def set_basic_auth(self, username, password):
     self._client.set_basic_auth(username, password)
 
-  def set_verify(self, verify=True):
+  def set_verify(self, verify):
     self._client.set_verify(verify)
 
   def close(self):

superset/db_engines/THttpTransport/http_client.py

@@ -155,8 +155,20 @@ def base_url(self):
   def logger(self):
     return self._logger
 
-  def set_verify(self, verify=True):
-    self._session.verify = verify
+  def set_verify(self, verify):
+    self.logger.debug('set -----------------------verify---------------------------------------')
+    if verify == 'True':
+      self.logger.debug(verify)
+      self._session.verify = True
+    elif verify == 'False':
+      self.logger.debug(verify)
+      self._session.verify = False
+    else:
+      self.logger.debug(verify)
+      self._session.verify = verify
+
+    self.logger.debug('*************************************************************************')
+
     return self
 
   def _get_headers(self, headers):
@@ -184,6 +196,7 @@ def execute(self, http_method, path, params=None, data=None, headers=None, allow
     if urlencode:
       path = urllib.parse.quote(smart_str(path))
     url = self._make_url(path, params)
+    self.logger.debug("-------connection url-----------------------------------------------------'%s'" % url)
     if http_method in ("GET", "DELETE"):
       if data is not None:
         self.logger.warn("GET and DELETE methods do not pass any data. Path '%s'" % path)

superset/db_engines/THttpTransport/resource.py

@@ -92,6 +92,9 @@ def _invoke(self, method, relpath=None, params=None, data=None, headers=None, fi
     Invoke an API method.
     @return: Raw body or JSON dictionary (if response content type is JSON).
     """
+    self._client.logger.debug('setting --------------header-------------------------------------------------------------------------------------')
+    self._client.logger.debug(headers)
+    self._client.logger.debug('***********-------------------------------------------------------------------------------------*****************')
     path = self._join_uri(relpath)
     start_time = time.time()
     resp = self._client.execute(method,

superset/db_engines/hive.py

@@ -18,6 +18,12 @@
 
 from superset.db_engines.THttpTransport.THttpClientTransport import THttpClientTransport 
 from thrift.transport.TTransport import TBufferedTransport
+from superset import app
+
+# Globals
+config = app.config
+ENABLE_SSL_HIVE_CONNECTION = config.get('ENABLE_SSL_HIVE_CONNECTION')
+CA_CERT_FILE_PATH = config.get('CA_CERT_FILE_PATH')
 
 # TODO: contribute back to pyhive.
 def fetch_logs(self, max_rows=1024,
@@ -66,7 +72,7 @@ def fetch_logs(self, max_rows=1024,
 def remove_http_params_from(url, connect_args):
     # remove custom  http transport vars not req in phive 
     backend_name = url.get_backend_name()
-    http_params = ['principal','transport_mode','mutual_authentication','http_path','service','delegate','force_preemptive','hostname_override','sanitize_mutual_error_response','send_cbt']  
+    http_params = ['verify','scheme','principal','transport_mode','mutual_authentication','http_path','service','delegate','force_preemptive','hostname_override','sanitize_mutual_error_response','send_cbt']  
     if(backend_name == 'hive'):
         for param in http_params:
             if( param in connect_args ):
@@ -120,14 +126,32 @@ def get_http_thrift_transport(url , kwargs):
         send_cbt = get_prop_value('send_cbt',kwargs,True)     
         auth = get_prop_value('auth',kwargs,"NONE")       
 
-        client = THttpClientTransport("http://{}:{}/{}".format(host, port, http_path))
+        scheme = "http"
+        verify = "False"
+
+        # first update vars as per deployment file
+        if ENABLE_SSL_HIVE_CONNECTION:
+            scheme = "https"
+            verify = CA_CERT_FILE_PATH
+
+        # override verify and scheme  as per ui config if defined there
+        if get_prop_value('verify',kwargs, None):
+            verify = get_prop_value('verify',kwargs, None)  
+
+        if get_prop_value('scheme',kwargs,None):
+             scheme = get_prop_value('scheme',kwargs,None)
+
+        client = THttpClientTransport("{}://{}:{}/{}".format(scheme, host, port, http_path))
         if auth == 'KERBEROS':
             client.set_kerberos_auth(mutual_authentication,
             service, delegate, force_preemptive,
             principal, hostname_override,
             sanitize_mutual_error_response, send_cbt)
         else:  
-            client.set_basic_auth(username, password)  
+            client.set_basic_auth(username, password) 
+
+        if scheme == "https":
+            client.set_verify(verify)     
 
         return TBufferedTransport(client)
     else: