hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "dilli dorai" <dilli.do...@gmail.com>
Subject Review Request 19599: HiveServer2 secure thrift/http authentication needs to support SPNego
Date Tue, 25 Mar 2014 01:23:07 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19599/
-----------------------------------------------------------

Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta.


Bugs: HIVE-6697
    https://issues.apache.org/jira/browse/HIVE-6697


Repository: hive-git


Description
-------

See JIra for description
https://issues.apache.org/jira/browse/HIVE-6697


Diffs
-----

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java affcbb4 
  conf/hive-default.xml.template 3c3df43 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 6e6a47d 
  service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java cb01cfd 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 255a165 
  shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 9aa555a 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java d4cddda

  shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java ed951f1 

Diff: https://reviews.apache.org/r/19599/diff/


Testing
-------

## Verification of enhancement with Beeline/JDBC 

### Verified the following calls succeeded getting connection, and listig tables, 
when valid spnego.principal and spengo.keytab are specified in hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache


!connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 


!connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call succeeded getting connection, and listig tables, 
even if valid spnego.principal or valid spengo.keytab is not  specified in hive-site.xml,
as long as valid hive server2 kerberos principal and keytab are specified in hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache

!connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call failed  getting connection, 
when valid  spnego.principal or valid spengo.keytab is not specified in hive-site.xml

!connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

## Verification of enhancement with Apache Knox

Apache Knox was able to authenticate to hive server 2 as SPNego client using Apache HttpClient,
and list tables, when correct spnego.principal and spengo.keytab are specified in hive-site.xml

Apache Knox was not able to authenticate to hive server 2 as SPNego client using Apache HttpClient,
when valid spnego.principal or spengo.keytab is not specified in hive-site.xml

## Verification of enhancement with curl

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has KINITed and has a valid kerberos ticket in cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

SPNego authentication succeeded and got a HTTP status code 500,
since we did not end Thrift body content

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has not KINITed and does not have a  valid kerberos ticket in cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

url -i --negotiate -u : http://hdps.example.com:10001/cliservice
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
Content-Type: application/x-thrift;charset=ISO-8859-1
Content-Length: 69
Server: Jetty(7.6.0.v20120127)

Authentication Error: java.lang.reflect.UndeclaredThrowableException


Thanks,

dilli dorai


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message