hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas Nair" <the...@hortonworks.com>
Subject Re: Review Request 19599: HiveServer2 secure thrift/http authentication needs to support SPNego
Date Wed, 26 Mar 2014 01:46:03 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19599/#review38572
-----------------------------------------------------------



conf/hive-default.xml.template
<https://reviews.apache.org/r/19599/#comment70846>

    Can you make the description a little more elaborate? Something like - 
    "SPNego service principal that would be used by hiveserver2 when kerberos security is
enabled and HTTP transport mode is used. It needs to be set only if SPNEGO is to be used in
authentication. Typical value would look like HTTP/_HOST@EXAMPLE.COM"
    



conf/hive-default.xml.template
<https://reviews.apache.org/r/19599/#comment70847>

    Can you also make this a little more descriptive like suggested for previous param ?
    


- Thejas Nair


On March 26, 2014, 1:18 a.m., dilli dorai wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/19599/
> -----------------------------------------------------------
> 
> (Updated March 26, 2014, 1:18 a.m.)
> 
> 
> Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta.
> 
> 
> Bugs: HIVE-6697
>     https://issues.apache.org/jira/browse/HIVE-6697
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> See JIra for description
> https://issues.apache.org/jira/browse/HIVE-6697
> 
> 
> Diffs
> -----
> 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java affcbb4 
>   conf/hive-default.xml.template 3c3df43 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 6e6a47d 
>   service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e 
>   service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java cb01cfd

>   service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 255a165

>   shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 9aa555a 
>   shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
d4cddda 
>   shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java ed951f1 
> 
> Diff: https://reviews.apache.org/r/19599/diff/
> 
> 
> Testing
> -------
> 
> ## Verification of enhancement with Beeline/JDBC 
> 
> ### Verified the following calls succeeded getting connection, and listig tables, 
> when valid spnego.principal and spengo.keytab are specified in hive-site.xml,
> and the client has KINITed and has a valid kerberos ticket in cache
> 
> 
> !connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 
> 
> 
> !connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 
> 
> ### Verified the following call succeeded getting connection, and listig tables, 
> even if valid spnego.principal or valid spengo.keytab is not  specified in hive-site.xml,
> as long as valid hive server2 kerberos principal and keytab are specified in hive-site.xml,
> and the client has KINITed and has a valid kerberos ticket in cache
> 
> !connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 
> 
> ### Verified the following call failed  getting connection, 
> when valid  spnego.principal or valid spengo.keytab is not specified in hive-site.xml
> 
> !connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
 dummy dummy-pass org.apache.hive.jdbc.HiveDriver 
> 
> ## Verification of enhancement with Apache Knox
> 
> Apache Knox was able to authenticate to hive server 2 as SPNego client using Apache HttpClient,
> and list tables, when correct spnego.principal and spengo.keytab are specified in hive-site.xml
> 
> Apache Knox was not able to authenticate to hive server 2 as SPNego client using Apache
HttpClient,
> when valid spnego.principal or spengo.keytab is not specified in hive-site.xml
> 
> ## Verification of enhancement with curl
> 
> ### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
> and the client has KINITed and has a valid kerberos ticket in cache
> 
> curl -i --negotiate -u : http://hdps.example.com:10001/cliservice
> 
> SPNego authentication succeeded and got a HTTP status code 500,
> since we did not end Thrift body content
> 
> ### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
> and the client has not KINITed and does not have a  valid kerberos ticket in cache
> 
> curl -i --negotiate -u : http://hdps.example.com:10001/cliservice
> 
> url -i --negotiate -u : http://hdps.example.com:10001/cliservice
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Negotiate
> Content-Type: application/x-thrift;charset=ISO-8859-1
> Content-Length: 69
> Server: Jetty(7.6.0.v20120127)
> 
> Authentication Error: java.lang.reflect.UndeclaredThrowableException
> 
> 
> Thanks,
> 
> dilli dorai
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message