hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devaraj Das (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HIVE-1696) Add delegation token support to metastore
Date Thu, 13 Jan 2011 08:23:47 GMT

     [ https://issues.apache.org/jira/browse/HIVE-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Devaraj Das updated HIVE-1696:
------------------------------

    Attachment: hive-1696-4.patch

I renamed the "principal" to "kerberos_principal" in the thrift calls introduced by this patch.
Also this patch has only one getTokenStrForm method in the shim (the implementation of the
method already handles what the other method was handling), and i put a detailed javadoc on
that.  This patch is without the gen'ed code. Once I get a go-ahead on this patch, I will
submit a patch with the gen'ed code. Could this patch be quickly looked at please?

> Add delegation token support to metastore
> -----------------------------------------
>
>                 Key: HIVE-1696
>                 URL: https://issues.apache.org/jira/browse/HIVE-1696
>             Project: Hive
>          Issue Type: Sub-task
>          Components: Metastore, Security, Server Infrastructure
>            Reporter: Todd Lipcon
>            Assignee: Devaraj Das
>             Fix For: 0.7.0
>
>         Attachments: hive-1696-1-with-gen-code.patch, hive-1696-1.patch, hive-1696-3-with-gen-code.patch,
hive-1696-3.patch, hive-1696-4.patch, hive_1696.patch, hive_1696.patch, hive_1696_no-thrift.patch
>
>
> As discussed in HIVE-842, kerberos authentication is only sufficient for authentication
of a hive user client to the metastore. There are other cases where thrift calls need to be
authenticated when the caller is running in an environment without kerberos credentials. For
example, an MR task running as part of a hive job may want to report statistics to the metastore,
or a job may be running within the context of Oozie or Hive Server.
> This JIRA is to implement support of delegation tokens for the metastore. The concept
of a delegation token is borrowed from the Hadoop security design - the quick summary is that
a kerberos-authenticated client may retrieve a binary token from the server. This token can
then be passed to other clients which can use it to achieve authentication as the original
user in lieu of a kerberos ticket.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message