hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry McCay <lmc...@hortonworks.com>
Subject Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
Date Tue, 04 Mar 2014 20:05:32 GMT
Hi Shiv - I believe that the auth mechanism in play is still considered
kerberos in this case. It is just based on a preauthenticated subject
rather than a UGI. In the end - it is kerberos.


On Tue, Mar 4, 2014 at 2:34 PM, Shivaraju Gowda <shivshi@cisco.com> wrote:

>
>
> > On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote:
> > > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java,
> line 68
> > > <
> https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68>
> > >
> > >     Can you push this to
> HadoopThriftAuthBridge.Client#createClientTransport just like the way the
> else portion does instead of the createSubjectAssumedTransport method? From
> within the method you can return the TSubjectAssumingTransport.
> >
> > Shivaraju Gowda wrote:
> >     Again this was in my first cut. I was passing the value as
> "tokenStrForm" parameter to keep the method signature same. I later moved
> away from it since it was not elegant and changing the method signature
> involved broader implications. I felt this functionality didn't belong in
> Hadoop shim layer. Having the change in there also meant one more jar
> getting affected(hive-exec.jar)
> >
> >
> > Shivaraju Gowda wrote:
> >     Another issue was the dependency on hadoop.core.jar. The calls
>  AuthMethod.valueOf(AuthMethod.class, methodStr) and
>  SaslRpcServer.splitKerberosName(serverPrincipal) in
> HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar
> >
> > Vaibhav Gumashta wrote:
> >     Actually in case of a kerberos setting, those jars are already
> required in the client's classpath (
> https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster-
check "Running the JDBC Sample Code" section). And this jira is
> applicable only to a kerberos setup.
>
> Correct. But my point is we don't have to have that dependency on external
> Hadoop component for using kerberos in this way.
>
>
> > On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote:
> > > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136
> > > <
> https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136>
> > >
> > >     I think, instead of having to do identityContext equals
> "fromKerberosSubject", we can just use assumeSubject equals true/false,
> keeping the default to false.
> >
> > Shivaraju Gowda wrote:
> >     Passing it as "assumeSubject" boolean url property was my first cut.
> However I thought "assumeSubject" itself doesn't convey the message for its
> intended use in and off by itself(need to refer to the documentation) and
> making it key-value pair might give it some more meaning and there is also
> a possibility of it being later used for other use cases (say
> hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin
> etc.).
> >
> > Shivaraju Gowda wrote:
> >     Do you think it might better if we use auth property here, i.e
> auth=fromKerberosSubject. Right now the only values for auth=noSasl.
> >
> > Vaibhav Gumashta wrote:
> >     auth property is kind of meant to map to the hiveserver2 auth modes
> [none, sasl, nosasl, kerberos]. The way it is used currently is not very
> clean and there are some jiras out there to clean that up and make the
> mapping more evident.
>
> OK, I look at this feature as an "authentication" mechanism. We are
> authenticating using the KerberosSubject passed by the user.
>
>
> - Shivaraju
>
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18464/#review35730
> -----------------------------------------------------------
>
>
> On Feb. 25, 2014, 6:50 a.m., Kevin Minder wrote:
> >
> > -----------------------------------------------------------
> > This is an automatically generated e-mail. To reply, visit:
> > https://reviews.apache.org/r/18464/
> > -----------------------------------------------------------
> >
> > (Updated Feb. 25, 2014, 6:50 a.m.)
> >
> >
> > Review request for hive, Kevin Minder and Vaibhav Gumashta.
> >
> >
> > Bugs: HIVE-6486
> >     https://issues.apache.org/jira/browse/HIVE-6486
> >
> >
> > Repository: hive-git
> >
> >
> > Description
> > -------
> >
> > Support secure Subject.doAs() in HiveServer2 JDBC client
> >
> >
> > Diffs
> > -----
> >
> >   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39
> >   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java
> 379dafb
> >
> service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java
> PRE-CREATION
> >
> > Diff: https://reviews.apache.org/r/18464/diff/
> >
> >
> > Testing
> > -------
> >
> > Manual testing
> >
> >
> > Thanks,
> >
> > Kevin Minder
> >
> >
>
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message