hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-16529) Replace JPAM with libpam4j for PAM authentication
Date Thu, 24 Aug 2017 01:26:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-16529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139440#comment-16139440
] 

Eric Yang commented on HIVE-16529:
----------------------------------

JPAM user account expiration issue can easily work around by applying this patch to JPAM:

{code}
--- jpam/jpam/src/c/Pam.c	2005-06-14 20:02:36.000000000 -0700
+++ ../../jpam/jpam/jpam/src/c/Pam.c	2017-08-23 18:20:09.000000000 -0700
@@ -151,6 +151,9 @@
             printf("***Sending password\n");
          reply[replies].resp = COPY_STRING(password);
       }
+      if (msg[replies]->msg_style==4) {
+         reply[replies].resp = NULL;
+      }
       if (debug)
         printf("***Response to PAM is: |%s|\n", reply[replies].resp);
    }
{code}

This might be a workaround solution instead of replacing JPAM with libpam4j.

> Replace JPAM with libpam4j for PAM authentication
> -------------------------------------------------
>
>                 Key: HIVE-16529
>                 URL: https://issues.apache.org/jira/browse/HIVE-16529
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: 1.2.0
>            Reporter: Richard Ding
>            Assignee: Sailaja Navvluru
>
> PAM authentication is an important feature available since Hive 0.13. But Hive blog gives
the following warnings:
> {quote}
> JPAM library that is used to provide the PAM authentication mode can cause HiveServer2
to go down if a user's password has expired. This happens because of segfault/core dumps from
native code invoked by JPAM. Some users have also reported crashes during logins in other
cases as well. Use of LDAP or KERBEROS is recommended.
> {quote}
> ​JPAM also requires user to install a native library. ​Furthermore, JPAM library
seems not to have been updated since 2007.
> Other Apache projects (e.g. Ambari/Ranger/Knox) use a newer library libpam4j which doesn't
require installation of native library. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message