Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 953A8200CD2 for ; Thu, 27 Jul 2017 21:11:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 93DEF16B66B; Thu, 27 Jul 2017 19:11:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DD30916B66C for ; Thu, 27 Jul 2017 21:11:07 +0200 (CEST) Received: (qmail 50428 invoked by uid 500); 27 Jul 2017 19:11:06 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 50030 invoked by uid 99); 27 Jul 2017 19:11:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jul 2017 19:11:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C0C451A0AE6 for ; Thu, 27 Jul 2017 19:11:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_RED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id tWLnVfvz8hJD for ; Thu, 27 Jul 2017 19:11:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 6BE965FD7D for ; Thu, 27 Jul 2017 19:11:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 26A96E0DFB for ; Thu, 27 Jul 2017 19:11:02 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 32CD124DBB for ; Thu, 27 Jul 2017 19:11:00 +0000 (UTC) Date: Thu, 27 Jul 2017 19:11:00 +0000 (UTC) From: "Eric Yang (JIRA)" To: dev@hive.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HIVE-17187) WebHCat SPNEGO support is incompleted MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 27 Jul 2017 19:11:08 -0000 Eric Yang created HIVE-17187: -------------------------------- Summary: WebHCat SPNEGO support is incompleted Key: HIVE-17187 URL: https://issues.apache.org/jira/browse/HIVE-17187 Project: Hive Issue Type: Bug Components: WebHCat Affects Versions: 1.2.1 Reporter: Eric Yang [Some online document|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/spnego_setup_for_webhcat.html] describes how to setup WebHCat with SPNEGO support. However, there could be multiple services use SPNEGO on the same host. For example, HBase REST API can also setup to use HTTP principal for SPNEGO support. When HTTP principal is shared among other services, Hadoop proxy user settings can not identify the origin of doAs call with HTTP principal, is invoked by HBase REST API or WebHCat. Ideally, WebHCat should keep track of its own service principal independent of SPNEGO principal to ensure that SPNEGO principal is only given authentication access. SPNEGO principal should not be used in proxy user setting to grant authorization access. -- This message was sent by Atlassian JIRA (v6.4.14#64029)