hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lefty Leverenz (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-6486) Support secure Subject.doAs() in HiveServer2 JDBC client.
Date Mon, 10 Mar 2014 19:20:50 GMT

    [ https://issues.apache.org/jira/browse/HIVE-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13926072#comment-13926072
] 

Lefty Leverenz commented on HIVE-6486:
--------------------------------------

Okay, thanks for the doc debate.  I'll put this in a new subsection under JDBC Client Setup
for a Secure Cluster:

[HiveServer2 Clients |https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients]
* Beeline
* JDBC
** Connection URL for Remote or Embedded Mode
** Using JDBC
** JDBC Data Types
** JDBC Client Setup for a Secure Cluster
*** _Using Kerberos with a Pre-Authenticated Subject_ (subject to change)
* Python Client

And I'll add something about middleware (based on your comments & the jira description)
then once it's in place you can both take a look, tinker with the section name and text, add
material, move things around -- whatever it takes to improve the doc.

Should the Admin doc also link to this?  For example:

* [Setting Up HiveServer2:  Authentication/Security Configuration |https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Authentication/SecurityConfiguration]
** Configuration
** Impersonation
** Integrity/Confidentiality Protection
** _Passing Kerberos Subject Through the Middleware Server_ (brief statement with links to
doc & jiras)

> Support secure Subject.doAs() in HiveServer2 JDBC client.
> ---------------------------------------------------------
>
>                 Key: HIVE-6486
>                 URL: https://issues.apache.org/jira/browse/HIVE-6486
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authentication, HiveServer2, JDBC
>    Affects Versions: 0.11.0, 0.12.0
>            Reporter: Shivaraju Gowda
>            Assignee: Shivaraju Gowda
>             Fix For: 0.13.0
>
>         Attachments: HIVE-6486.1.patch, HIVE-6486.2.patch, HIVE-6486.3.patch, Hive_011_Support-Subject_doAS.patch,
TestHive_SujectDoAs.java
>
>
> HIVE-5155 addresses the problem of kerberos authentication in multi-user middleware server
using proxy user.  In this mode the principal used by the middle ware server has privileges
to impersonate selected users in Hive/Hadoop. 
> This enhancement is to support Subject.doAs() authentication in  Hive JDBC layer so that
the end users Kerberos Subject is passed through in the middle ware server. With this improvement
there won't be any additional setup in the server to grant proxy privileges to some users
and there won't be need to specify a proxy user in the JDBC client. This version should also
be more secure since it won't require principals with the privileges to impersonate other
users in Hive/Hadoop setup.
>  



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message