hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brock Noland" <br...@cloudera.com>
Subject Re: Review Request 28255: HIVE-8916 : Handle user@domain username under LDAP authentication
Date Thu, 20 Nov 2014 16:58:42 GMT


> On Nov. 19, 2014, 9:32 p.m., Szehon Ho wrote:
> > service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java, line
307
> > <https://reviews.apache.org/r/28255/diff/1/?file=770245#file770245line307>
> >
> >     Will be it simpler to use a regex like [^\@]+ to find this?

>From my side I feel the approaches are equivalent.


- Brock


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28255/#review62235
-----------------------------------------------------------


On Nov. 19, 2014, 8:49 p.m., Mohit Sabharwal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28255/
> -----------------------------------------------------------
> 
> (Updated Nov. 19, 2014, 8:49 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-8916
>     https://issues.apache.org/jira/browse/HIVE-8916
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> HIVE-8916 : Handle user@domain username under LDAP authentication
> 
> If LDAP is configured with multiple domains for authentication, users can be in different
domains.
> 
> Currently, LdapAuthenticationProviderImpl blindly appends the domain configured "hive.server2.authentication.ldap.Domain"
to the username, which limits user to that domain. However, under multi-domain authentication,
the username may already include the domain (ex: user@domain.foo.com). We should not append
a domain if one is already present.
> 
> Also, if username already includes the domain, rest of Hive and authorization providers
still expects the "short name" ("user" and not "user@domain.foo.com") for looking up privilege
rules, etc. As such, any domain info in the username should be stripped off.
> 
> 
> Diffs
> -----
> 
>   service/src/java/org/apache/hive/service/ServiceUtils.java PRE-CREATION 
>   service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java d075761d079f8a18d7d317483783fe3b801e00d5

>   service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 3a8ae70d8bd31c9958ea6ae00a2d01c315c80615

> 
> Diff: https://reviews.apache.org/r/28255/diff/
> 
> 
> Testing
> -------
> 
> Configured HS2 for LDAP authentication:
> 
> <property>
>   <name>hive.server2.authentication</name>
>   <value>LDAP</value>
> </property>
> <property>    
>   <name>hive.server2.authentication.ldap.url</name>
>   <value>ldap://foo.ldap.server.com</value>
> </property>
> <property>
>   <name>hive.server2.authentication.ldap.Domain</name>
>   <value>foo.ldap.domain.com</value>
> </property>
> 
> Ran beeline with user names with and without ldap domain, in both cases
> authentication works. Before the change, authentication failed if
> domain was present in username:
> 
> beeline -u jdbc:hive2://localhost:10000 -n user@foo.ldap.domain.com -p TestPassword --debug
> 
> beeline -u jdbc:hive2://localhost:10000 -n user -p TestPassword --debug
> 
> 
> Thanks,
> 
> Mohit Sabharwal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message