hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Mujumdar" <pras...@cloudera.com>
Subject Re: Review Request 28255: HIVE-8916 : Handle user@domain username under LDAP authentication
Date Thu, 20 Nov 2014 18:43:56 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28255/#review62378
-----------------------------------------------------------


Looks fine to me.

I would suggest creating a followup ticket to move the username format detection and replacement
menthods to PasswdAuthenticationProvider and PlainServerCallbackHandler. This way the user
name format can be managed by individual authentication handlers rather than high level HS2
RPC processor.

- Prasad Mujumdar


On Nov. 19, 2014, 8:49 p.m., Mohit Sabharwal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28255/
> -----------------------------------------------------------
> 
> (Updated Nov. 19, 2014, 8:49 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-8916
>     https://issues.apache.org/jira/browse/HIVE-8916
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> HIVE-8916 : Handle user@domain username under LDAP authentication
> 
> If LDAP is configured with multiple domains for authentication, users can be in different
domains.
> 
> Currently, LdapAuthenticationProviderImpl blindly appends the domain configured "hive.server2.authentication.ldap.Domain"
to the username, which limits user to that domain. However, under multi-domain authentication,
the username may already include the domain (ex: user@domain.foo.com). We should not append
a domain if one is already present.
> 
> Also, if username already includes the domain, rest of Hive and authorization providers
still expects the "short name" ("user" and not "user@domain.foo.com") for looking up privilege
rules, etc. As such, any domain info in the username should be stripped off.
> 
> 
> Diffs
> -----
> 
>   service/src/java/org/apache/hive/service/ServiceUtils.java PRE-CREATION 
>   service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java d075761d079f8a18d7d317483783fe3b801e00d5

>   service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 3a8ae70d8bd31c9958ea6ae00a2d01c315c80615

> 
> Diff: https://reviews.apache.org/r/28255/diff/
> 
> 
> Testing
> -------
> 
> Configured HS2 for LDAP authentication:
> 
> <property>
>   <name>hive.server2.authentication</name>
>   <value>LDAP</value>
> </property>
> <property>    
>   <name>hive.server2.authentication.ldap.url</name>
>   <value>ldap://foo.ldap.server.com</value>
> </property>
> <property>
>   <name>hive.server2.authentication.ldap.Domain</name>
>   <value>foo.ldap.domain.com</value>
> </property>
> 
> Ran beeline with user names with and without ldap domain, in both cases
> authentication works. Before the change, authentication failed if
> domain was present in username:
> 
> beeline -u jdbc:hive2://localhost:10000 -n user@foo.ldap.domain.com -p TestPassword --debug
> 
> beeline -u jdbc:hive2://localhost:10000 -n user -p TestPassword --debug
> 
> 
> Thanks,
> 
> Mohit Sabharwal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message