hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mikhail Antonov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-4707) Support configurable domain name for HiveServer2 LDAP authentication using Active Directory
Date Sat, 24 Aug 2013 04:52:51 GMT

    [ https://issues.apache.org/jira/browse/HIVE-4707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13749308#comment-13749308
] 

Mikhail Antonov commented on HIVE-4707:
---------------------------------------

There's email thread regarding LDAP auth for openldap..

http://osdir.com/ml/general/2013-08/msg42378.html

Essentially, if baseDN isn't set, then the bind string is formed as follows:

 // setup the security principal
String bindDN;
if (baseDN != null) {
       bindDN = "uid=" + user + "," + baseDN;
} else {
       bindDN = user;
} 

There should be some configuration, allowing people to customize this bind string, for example
use cn= instead of uid=.

Can provide a patch if wanted..
                
> Support configurable domain name for HiveServer2 LDAP authentication using Active Directory
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-4707
>                 URL: https://issues.apache.org/jira/browse/HIVE-4707
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 0.11.0
>            Reporter: Prasad Mujumdar
>            Assignee: Prasad Mujumdar
>             Fix For: 0.12.0
>
>         Attachments: HIVE-4707-1.patch
>
>
> LDAP providers like Active Directory use a fully qualified user name in user@domain format.
For HiveServer2 LDAP auth can be used with active directory by passing the userid in that
format. This causes hive authentication module to retrun the username in that mangled format.
This prohibits LDAP users to be impersonated over secure hadoop or reported correctly in audit
etc.
> HiveServer2 should support a configurable LDAP domain that is appended to the user name.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message