ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Howard <stevedhow...@gmail.com>
Subject LDAP authentication in 2.1.0 with hive.server2.authentication.ldap.baseDN
Date Thu, 17 Sep 2015 15:18:24 GMT
Ambari 2.1.0 requires a value for the
hive.server2.authentication.ldap.baseDN property. This breaks AD
authentication in hive, as "uid=whatever,OU=Users,DC=domain,DC=com" is not
a usable string for authentication in AD.

The code path in
org.apache.hive.service.auth.LdapAuthenticationProviderImpl hardcodes
"uid=$username" + baseDN. This does not work in AD. We want to simply
authenticate using the LDAP plugin with username@domain. We ended up
changing the org.apache.hive.service.auth.LdapAuthenticationProviderImpl to
allow this to happen. The real fix is to not require the property to have a
value in Ambari, as hive even has an if property is null conditional check.
As such, by definition the hive software doesn't require it so we are
curious as to why Ambari does?

We are currently working with the fix below to
org.apache.hive.service.auth.LdapAuthenticationProviderImpl...

String bindDN;
if (this.baseDN == null) {
  bindDN = user;
} else {
  //bindDN = "uid=" + user + "," + this.baseDN;
  bindDN = user;
}

...but think Ambari should remove the requirement so we can use the out of
the box hive class.

Are we missing something?

Mime
View raw message