Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@hive.apache.org
Content-Type: multipart/alternative;
 boundary="===============7526373507000619376=="
MIME-Version: 1.0
Subject: Re: Review Request 19599: HiveServer2 secure thrift/http
 authentication
 needs to support SPNego
From: "dilli dorai" <dilli.dorai@gmail.com>
To: "Vaibhav Gumashta" <vgumashta@hortonworks.com>,
 "Ashutosh Chauhan" <hashutosh@apache.org>,
 "Thejas Nair" <thejas@hortonworks.com>
Cc: "dilli dorai" <dilli.dorai@gmail.com>, "hive" <dev@hive.apache.org>
Date: Wed, 26 Mar 2014 02:38:05 -0000
Message-ID: <20140326023805.8507.59483@reviews.apache.org>
Auto-Submitted: auto-generated
Sender: "dilli dorai" <noreply@reviews.apache.org>
References: <20140326011859.8474.59007@reviews.apache.org>
In-Reply-To: <20140326011859.8474.59007@reviews.apache.org>
Reply-To: "dilli dorai" <dilli.dorai@gmail.com>

--===============7526373507000619376==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19599/
-----------------------------------------------------------

(Updated March 26, 2014, 2:38 a.m.)


Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta.


Changes
-------

cumulative patch diff accounting for reviewer comment, 
latest comment addressed: add more description to new properties in hive-default.xml.template


Bugs: HIVE-6697
    https://issues.apache.org/jira/browse/HIVE-6697


Repository: hive-git


Description
-------

See JIra for description
https://issues.apache.org/jira/browse/HIVE-6697


Diffs (updated)
-----

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java affcbb4 
  conf/hive-default.xml.template 3c3df43 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 6e6a47d 
  service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java cb01cfd 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 255a165 
  shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 9aa555a 
  shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java d4cddda 
  shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java ed951f1 

Diff: https://reviews.apache.org/r/19599/diff/


Testing
-------

## Verification of enhancement with Beeline/JDBC 

### Verified the following calls succeeded getting connection, and listig tables, 
when valid spnego.principal and spengo.keytab are specified in hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache


!connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 


!connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call succeeded getting connection, and listig tables, 
even if valid spnego.principal or valid spengo.keytab is not  specified in hive-site.xml,
as long as valid hive server2 kerberos principal and keytab are specified in hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache

!connect jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call failed  getting connection, 
when valid  spnego.principal or valid spengo.keytab is not specified in hive-site.xml

!connect jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example.com@EXAMPLE.COM?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

## Verification of enhancement with Apache Knox

Apache Knox was able to authenticate to hive server 2 as SPNego client using Apache HttpClient,
and list tables, when correct spnego.principal and spengo.keytab are specified in hive-site.xml

Apache Knox was not able to authenticate to hive server 2 as SPNego client using Apache HttpClient,
when valid spnego.principal or spengo.keytab is not specified in hive-site.xml

## Verification of enhancement with curl

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has KINITed and has a valid kerberos ticket in cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

SPNego authentication succeeded and got a HTTP status code 500,
since we did not end Thrift body content

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has not KINITed and does not have a  valid kerberos ticket in cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

url -i --negotiate -u : http://hdps.example.com:10001/cliservice
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
Content-Type: application/x-thrift;charset=ISO-8859-1
Content-Length: 69
Server: Jetty(7.6.0.v20120127)

Authentication Error: java.lang.reflect.UndeclaredThrowableException


Thanks,

dilli dorai


--===============7526373507000619376==--