hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas Nair" <the...@hortonworks.com>
Subject Re: Review Request 13845: HIVE-5155: Support secure proxy user access to HiveServer2
Date Wed, 08 Jan 2014 21:43:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review31384
-----------------------------------------------------------



beeline/src/java/org/apache/hive/beeline/BeeLine.java
<https://reviews.apache.org/r/13845/#comment59840>

    we should document what this option means, in the usage output, and that it is a hive
specific option.
    



conf/hive-default.xml.template
<https://reviews.apache.org/r/13845/#comment59858>

    should "altername" be "alternate" ?
    requestion => request
    



shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
<https://reviews.apache.org/r/13845/#comment59857>

    This would mean that to make a user a proxy user, you would need to make the user a proxy
user for all of hadoop. In general for security, it is useful to be able to give users only
what they need.
    
    Webhcat and oozie follow this model AFAIK. Granting a user proxy user privilege for these
services does not require you to make the user a proxy user for hadoop (HDFS, MR).
    


- Thejas Nair


On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
> 
> (Updated Dec. 5, 2013, 8:08 p.m.)
> 
> 
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
> 
> 
> Bugs: HIVE-5155
>     https://issues.apache.org/jira/browse/HIVE-5155
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
> 
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
> 
> Note that the diff doesn't include thrift generated code.
> 
> 
> Diffs
> -----
> 
>   beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5 
>   beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3 
>   beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3 
>   beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa 
>   conf/hive-default.xml.template c61a0bb 
>   itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da 
>   jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573 
>   jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98 
>   service/if/TCLIService.thrift 62a9730 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c 
>   service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675 
>   service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386 
>   service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f 
>   service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874

>   service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6 
>   service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc 
>   service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752 
>   service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4

>   service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72 
>   service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e 
>   service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f

>   service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd 
>   service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800

>   shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84 
>   shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
84f3ddc 
>   shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
dc89de1 
>   shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c 
>   shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
03f4e51 
> 
> Diff: https://reviews.apache.org/r/13845/diff/
> 
> 
> Testing
> -------
> 
> Since this requires kerberos setup, its tested by a standalone test program that runs
various existing and new secure connection scenarios. The test code is attached to the ticket
at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message