Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 44C0610699 for ; Wed, 22 Jan 2014 18:23:27 +0000 (UTC) Received: (qmail 5479 invoked by uid 500); 22 Jan 2014 18:23:24 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 5391 invoked by uid 500); 22 Jan 2014 18:23:23 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 5375 invoked by uid 500); 22 Jan 2014 18:23:22 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 5370 invoked by uid 99); 22 Jan 2014 18:23:22 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 18:23:22 +0000 Date: Wed, 22 Jan 2014 18:23:22 +0000 (UTC) From: "Owen O'Malley (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HIVE-5155) Support secure proxy user access to HiveServer2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-5155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13878955#comment-13878955 ] Owen O'Malley commented on HIVE-5155: ------------------------------------- Since this patch is adding proxy users for HiveServer2, it really should include the same ability to limit the authority of the proxy users that the other Hadoop tools have. To make it consistent with Hadoop, the configuration would look like: {code} hive.server2.proxyuser.HS.hosts host1,host2 hive.server2.proxyuser.HS.groups group1,group2 {code} which configures HS as a hive server2 proxy user and limits it to working on a specified set of hosts (or * for all) and impersonating a specified group of users (or * for all). > Support secure proxy user access to HiveServer2 > ----------------------------------------------- > > Key: HIVE-5155 > URL: https://issues.apache.org/jira/browse/HIVE-5155 > Project: Hive > Issue Type: Improvement > Components: Authentication, HiveServer2, JDBC > Affects Versions: 0.12.0 > Reporter: Prasad Mujumdar > Assignee: Prasad Mujumdar > Attachments: HIVE-5155-1-nothrift.patch, HIVE-5155-noThrift.2.patch, HIVE-5155-noThrift.4.patch, HIVE-5155-noThrift.5.patch, HIVE-5155-noThrift.6.patch, HIVE-5155.1.patch, HIVE-5155.2.patch, HIVE-5155.3.patch, ProxyAuth.java, ProxyAuth.out, TestKERBEROS_Hive_JDBC.java > > > The HiveServer2 can authenticate a client using via Kerberos and impersonate the connecting user with underlying secure hadoop. This becomes a gateway for a remote client to access secure hadoop cluster. Now this works fine for when the client obtains Kerberos ticket and directly connects to HiveServer2. There's another big use case for middleware tools where the end user wants to access Hive via another server. For example Oozie action or Hue submitting queries or a BI tool server accessing to HiveServer2. In these cases, the third party server doesn't have end user's Kerberos credentials and hence it can't submit queries to HiveServer2 on behalf of the end user. > This ticket is for enabling proxy access to HiveServer2 for third party tools on behalf of end users. There are two parts of the solution proposed in this ticket: > 1) Delegation token based connection for Oozie (OOZIE-1457) > This is the common mechanism for Hadoop ecosystem components. Hive Remote Metastore and HCatalog already support this. This is suitable for tool like Oozie that submits the MR jobs as actions on behalf of its client. Oozie already uses similar mechanism for Metastore/HCatalog access. > 2) Direct proxy access for privileged hadoop users > The delegation token implementation can be a challenge for non-hadoop (especially non-java) components. This second part enables a privileged user to directly specify an alternate session user during the connection. If the connecting user has hadoop level privilege to impersonate the requested userid, then HiveServer2 will run the session as that requested user. For example, user Hue is allowed to impersonate user Bob (via core-site.xml proxy user configuration). Then user Hue can connect to HiveServer2 and specify Bob as session user via a session property. HiveServer2 will verify Hue's proxy user privilege and then impersonate user Bob instead of Hue. This will enable any third party tool to impersonate alternate userid without having to implement delegation token connection. -- This message was sent by Atlassian JIRA (v6.1.5#6160)