ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Howard <stevedhow...@gmail.com>
Subject Re: LDAP authentication in 2.1.0 with hive.server2.authentication.ldap.baseDN
Date Thu, 17 Sep 2015 19:45:19 GMT
We found this, which is a direct hit for the issue...

https://issues.apache.org/jira/browse/AMBARI-12997

We will work this with HortonWorks.

Thanks,

Steve

On Thu, Sep 17, 2015 at 11:18 AM, Steve Howard <stevedhoward@gmail.com>
wrote:

> Ambari 2.1.0 requires a value for the
> hive.server2.authentication.ldap.baseDN property. This breaks AD
> authentication in hive, as "uid=whatever,OU=Users,DC=domain,DC=com" is not
> a usable string for authentication in AD.
>
> The code path in
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl hardcodes
> "uid=$username" + baseDN. This does not work in AD. We want to simply
> authenticate using the LDAP plugin with username@domain. We ended up
> changing the org.apache.hive.service.auth.LdapAuthenticationProviderImpl to
> allow this to happen. The real fix is to not require the property to have a
> value in Ambari, as hive even has an if property is null conditional check.
> As such, by definition the hive software doesn't require it so we are
> curious as to why Ambari does?
>
> We are currently working with the fix below to
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl...
>
> String bindDN;
> if (this.baseDN == null) {
>   bindDN = user;
> } else {
>   //bindDN = "uid=" + user + "," + this.baseDN;
>   bindDN = user;
> }
>
> ...but think Ambari should remove the requirement so we can use the out of
> the box hive class.
>
> Are we missing something?
>

Mime
View raw message