hadoop-hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HIVE-1696) Add delegation token support to metastore
Date Wed, 06 Oct 2010 18:18:31 GMT

    [ https://issues.apache.org/jira/browse/HIVE-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918615#action_12918615
] 

Todd Lipcon commented on HIVE-1696:
-----------------------------------

A few of us had a phone call this morning. We briefly discussed a design for this, summarized
below:

- The metastore should make use of the delegation token facilities in Hadoop Common. The classes
in Common are already generic since they're used by both MR and HDFS for their delegation
token types.
- The metastore needs to keep track of active delegation tokens across restarts - it probably
makes sense to use the existing DB backing store for this.
- The metastore thrift API will need a new call, something like: {{binary getDelegationToken(1:
string renewer)}} which returns the opaque token.
- We'll need to make some changes to HadoopThriftAuthBridge from HIVE-842 in order to support
using a delegation token over SASL.

In terms of the use cases above, here are some thoughts on how the delegation tokens will
be used:

h3. MR tasks reporting statistics

When a hive job is submitted, it will first obtain a DT from the hive metastore. This DT will
be passed with the job, either as a private distributedcache file, or maybe base64-encoded
in the jobconf itself. The MR tasks themselves will then load the token into the UGI before
making calls. This is basically the pattern that normal hadoop MR jobs use to access HDFS
from within a task.

h3. Oozie or Hive Server jobs

Before Oozie or Hive Server forks the child process which actually runs the job, it will need
to obtain a delegation token from the metastore on behalf of the user running the job. It
will then provide this to the child process using an environment variable or configuration
property. In this case, Oozie or the Hive Server needs to be configured as a "proxy superuser"
on the metastore - ie the oozie/_HOST or hiveserver/_HOST principal is allowed to impersonate
other users in order to grab delegation tokens for them.

> Add delegation token support to metastore
> -----------------------------------------
>
>                 Key: HIVE-1696
>                 URL: https://issues.apache.org/jira/browse/HIVE-1696
>             Project: Hadoop Hive
>          Issue Type: Sub-task
>          Components: Metastore
>            Reporter: Todd Lipcon
>
> As discussed in HIVE-842, kerberos authentication is only sufficient for authentication
of a hive user client to the metastore. There are other cases where thrift calls need to be
authenticated when the caller is running in an environment without kerberos credentials. For
example, an MR task running as part of a hive job may want to report statistics to the metastore,
or a job may be running within the context of Oozie or Hive Server.
> This JIRA is to implement support of delegation tokens for the metastore. The concept
of a delegation token is borrowed from the Hadoop security design - the quick summary is that
a kerberos-authenticated client may retrieve a binary token from the server. This token can
then be passed to other clients which can use it to achieve authentication as the original
user in lieu of a kerberos ticket.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message