hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brock Noland (JIRA)" <>
Subject [jira] [Commented] (HIVE-8916) Handle user@domain username under LDAP authentication
Date Thu, 20 Nov 2014 17:01:34 GMT


Brock Noland commented on HIVE-8916:

Looks like we need to handle the case of null:

2014-11-19 17:39:22,829 WARN  thrift.ThriftCLIService (
- Error opening session: 
	at org.apache.hive.service.ServiceUtils.indexOfDomainMatch(
	at org.apache.hive.service.cli.thrift.ThriftCLIService.getShortName(
	at org.apache.hive.service.cli.thrift.ThriftCLIService.getUserName(
	at org.apache.hive.service.cli.thrift.ThriftCLIService.getSessionHandle(
	at org.apache.hive.service.cli.thrift.ThriftCLIService.OpenSession(
	at org.apache.hive.service.cli.thrift.ThriftCLIServiceClient.openSession(
	at org.apache.hive.service.cli.session.TestSessionGlobalInitFile.doTestSessionGlobalInitFile(
	at org.apache.hive.service.cli.session.TestSessionGlobalInitFile.testSessionGlobalInitFile(

> Handle user@domain username under LDAP authentication
> -----------------------------------------------------
>                 Key: HIVE-8916
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Authentication
>            Reporter: Mohit Sabharwal
>            Assignee: Mohit Sabharwal
>         Attachments: HIVE-8916.patch
> If LDAP is configured with multiple domains for authentication, users can be in different
> Currently, LdapAuthenticationProviderImpl blindly appends the domain configured "hive.server2.authentication.ldap.Domain"
to the username, which limits user to that domain. However, under multi-domain authentication,
the username may already include the domain (ex: We should not append
a domain if one is already present.
> Also, if username already includes the domain, rest of Hive and authorization providers
still expects the "short name" ("user" and not "") for looking up privilege
rules, etc.  As such, any domain info in the username should be stripped off.

This message was sent by Atlassian JIRA

View raw message