hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shivaraju Gowda" <shiv...@cisco.com>
Subject Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
Date Tue, 04 Mar 2014 19:34:22 GMT


> On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote:
> > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68
> > <https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68>
> >
> >     Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just
like the way the else portion does instead of the createSubjectAssumedTransport method? From
within the method you can return the TSubjectAssumingTransport.
> 
> Shivaraju Gowda wrote:
>     Again this was in my first cut. I was passing the value as "tokenStrForm" parameter
to keep the method signature same. I later moved away from it since it was not elegant and
changing the method signature involved broader implications. I felt this functionality didn't
belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar)
>
> 
> Shivaraju Gowda wrote:
>     Another issue was the dependency on hadoop.core.jar. The calls  AuthMethod.valueOf(AuthMethod.class,
methodStr) and  SaslRpcServer.splitKerberosName(serverPrincipal) in HadoopThriftAuthBridge.Client#createClientTransport
are from hadoop.core.jar
> 
> Vaibhav Gumashta wrote:
>     Actually in case of a kerberos setting, those jars are already required in the client's
classpath (https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster
- check "Running the JDBC Sample Code" section). And this jira is applicable only to a kerberos
setup.

Correct. But my point is we don't have to have that dependency on external Hadoop component
for using kerberos in this way.


> On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote:
> > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136
> > <https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136>
> >
> >     I think, instead of having to do identityContext equals "fromKerberosSubject",
we can just use assumeSubject equals true/false, keeping the default to false.
> 
> Shivaraju Gowda wrote:
>     Passing it as "assumeSubject" boolean url property was my first cut. However I thought
"assumeSubject" itself doesn't convey the message for its intended use in and off by itself(need
to refer to the documentation) and making it key-value pair might give it some more meaning
and there is also a possibility of it being later used for other use cases (say hypothetically
the value can be fromKeyTab, fromTicketCache or fromLogin etc.).
> 
> Shivaraju Gowda wrote:
>     Do you think it might better if we use auth property here, i.e auth=fromKerberosSubject.
Right now the only values for auth=noSasl.
> 
> Vaibhav Gumashta wrote:
>     auth property is kind of meant to map to the hiveserver2 auth modes [none, sasl,
nosasl, kerberos]. The way it is used currently is not very clean and there are some jiras
out there to clean that up and make the mapping more evident.

OK, I look at this feature as an "authentication" mechanism. We are authenticating using the
KerberosSubject passed by the user.


- Shivaraju


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18464/#review35730
-----------------------------------------------------------


On Feb. 25, 2014, 6:50 a.m., Kevin Minder wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18464/
> -----------------------------------------------------------
> 
> (Updated Feb. 25, 2014, 6:50 a.m.)
> 
> 
> Review request for hive, Kevin Minder and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6486
>     https://issues.apache.org/jira/browse/HIVE-6486
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> Support secure Subject.doAs() in HiveServer2 JDBC client
> 
> 
> Diffs
> -----
> 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb 
>   service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION

> 
> Diff: https://reviews.apache.org/r/18464/diff/
> 
> 
> Testing
> -------
> 
> Manual testing
> 
> 
> Thanks,
> 
> Kevin Minder
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message