hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohit Sabharwal (JIRA)" <>
Subject [jira] [Commented] (HIVE-8916) Handle user@domain username under LDAP authentication
Date Tue, 02 Dec 2014 02:15:13 GMT


Mohit Sabharwal commented on HIVE-8916:

We could add documentation to [Configuration Properties -- hive.server2.authentication.ldap.Domain

In case of LDAP authentication, {{hive.server2.authentication.ldap.Domain}}, if configured,
is appended to the LDAP username passed in the client connection. This is because LDAP providers
like Active Directory expect a fully qualified username that includes the domain.

Starting 0.15.0 (HIVE-8916), if the username passed in the client connection already includes
the domain, any value configured in {{hive.server2.authentication.ldap.Domain}} is not appended
to the username.

> Handle user@domain username under LDAP authentication
> -----------------------------------------------------
>                 Key: HIVE-8916
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Authentication
>            Reporter: Mohit Sabharwal
>            Assignee: Mohit Sabharwal
>             Fix For: 0.15.0
>         Attachments: HIVE-8916.2.patch, HIVE-8916.3.patch, HIVE-8916.patch
> If LDAP is configured with multiple domains for authentication, users can be in different
> Currently, LdapAuthenticationProviderImpl blindly appends the domain configured "hive.server2.authentication.ldap.Domain"
to the username, which limits user to that domain. However, under multi-domain authentication,
the username may already include the domain (ex: We should not append
a domain if one is already present.
> Also, if username already includes the domain, rest of Hive and authorization providers
still expects the "short name" ("user" and not "") for looking up privilege
rules, etc.  As such, any domain info in the username should be stripped off.

This message was sent by Atlassian JIRA

View raw message