Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A063410FD9 for ; Wed, 26 Mar 2014 01:46:09 +0000 (UTC) Received: (qmail 19379 invoked by uid 500); 26 Mar 2014 01:46:07 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 19293 invoked by uid 500); 26 Mar 2014 01:46:06 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 19279 invoked by uid 99); 26 Mar 2014 01:46:06 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Mar 2014 01:46:06 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 2B3C61D5A64; Wed, 26 Mar 2014 01:46:03 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============2325707157664275858==" MIME-Version: 1.0 Subject: Re: Review Request 19599: HiveServer2 secure thrift/http authentication needs to support SPNego From: "Thejas Nair" To: "Vaibhav Gumashta" , "Ashutosh Chauhan" , "Thejas Nair" Cc: "dilli dorai" , "hive" Date: Wed, 26 Mar 2014 01:46:03 -0000 Message-ID: <20140326014603.8507.91117@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org Auto-Submitted: auto-generated Sender: "Thejas Nair" X-ReviewGroup: hive X-ReviewRequest-URL: https://reviews.apache.org/r/19599/ X-Sender: "Thejas Nair" References: <20140326011859.8474.59007@reviews.apache.org> In-Reply-To: <20140326011859.8474.59007@reviews.apache.org> Reply-To: "Thejas Nair" X-ReviewRequest-Repository: hive-git --===============2325707157664275858== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/19599/#review38572 ----------------------------------------------------------- conf/hive-default.xml.template Can you make the description a little more elaborate? Something like - "SPNego service principal that would be used by hiveserver2 when kerberos security is enabled and HTTP transport mode is used. It needs to be set only if SPNEGO is to be used in authentication. Typical value would look like HTTP/_HOST@EXAMPLE.COM" conf/hive-default.xml.template Can you also make this a little more descriptive like suggested for previous param ? - Thejas Nair On March 26, 2014, 1:18 a.m., dilli dorai wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/19599/ > ----------------------------------------------------------- > > (Updated March 26, 2014, 1:18 a.m.) > > > Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta. > > > Bugs: HIVE-6697 > https://issues.apache.org/jira/browse/HIVE-6697 > > > Repository: hive-git > > > Description > ------- > > See JIra for description > https://issues.apache.org/jira/browse/HIVE-6697 > > > Diffs > ----- > > common/src/java/org/apache/hadoop/hive/conf/HiveConf.java affcbb4 > conf/hive-default.xml.template 3c3df43 > service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 6e6a47d > service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e > service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java cb01cfd > service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 255a165 > shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 9aa555a > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java d4cddda > shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java ed951f1 > > Diff: https://reviews.apache.org/r/19599/diff/ > > > Testing > ------- > > ## Verification of enhancement with Beeline/JDBC > > ### Verified the following calls succeeded getting connection, and listig tables, > when valid spnego.principal and spengo.keytab are specified in hive-site.xml, > and the client has KINITed and has a valid kerberos ticket in cache > > > !connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > > !connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ### Verified the following call succeeded getting connection, and listig tables, > even if valid spnego.principal or valid spengo.keytab is not specified in hive-site.xml, > as long as valid hive server2 kerberos principal and keytab are specified in hive-site.xml, > and the client has KINITed and has a valid kerberos ticket in cache > > !connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ### Verified the following call failed getting connection, > when valid spnego.principal or valid spengo.keytab is not specified in hive-site.xml > > !connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ## Verification of enhancement with Apache Knox > > Apache Knox was able to authenticate to hive server 2 as SPNego client using Apache HttpClient, > and list tables, when correct spnego.principal and spengo.keytab are specified in hive-site.xml > > Apache Knox was not able to authenticate to hive server 2 as SPNego client using Apache HttpClient, > when valid spnego.principal or spengo.keytab is not specified in hive-site.xml > > ## Verification of enhancement with curl > > ### when valid spnego.principal and spengo.keytab are specified in hive-site.xml > and the client has KINITed and has a valid kerberos ticket in cache > > curl -i --negotiate -u : http://hdps.example.com:10001/cliservice > > SPNego authentication succeeded and got a HTTP status code 500, > since we did not end Thrift body content > > ### when valid spnego.principal and spengo.keytab are specified in hive-site.xml > and the client has not KINITed and does not have a valid kerberos ticket in cache > > curl -i --negotiate -u : http://hdps.example.com:10001/cliservice > > url -i --negotiate -u : http://hdps.example.com:10001/cliservice > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Negotiate > Content-Type: application/x-thrift;charset=ISO-8859-1 > Content-Length: 69 > Server: Jetty(7.6.0.v20120127) > > Authentication Error: java.lang.reflect.UndeclaredThrowableException > > > Thanks, > > dilli dorai > > --===============2325707157664275858==--