Review Board 1.7.22


HIVE-5155: Support secure proxy user access to HiveServer2

Review Request #13845 - Created Aug. 27, 2013 and updated

Prasad Mujumdar
trunk
HIVE-5155
Reviewers
hive
brocknoland, carl, thejas
hive-git
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option

Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user

Note that the diff doesn't include thrift generated code.
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Total:
31
Open:
10
Resolved:
21
Dropped:
0
Status:
From:
Description From Last Updated Status
nit: ws Brock Noland Dec. 4, 2013, 10:26 p.m. Open
nit: ws Brock Noland Dec. 4, 2013, 10:26 p.m. Open
This would mean that to make a user a proxy user, you would need to make the user a proxy ... Thejas Nair Jan. 8, 2014, 9:43 p.m. Open
Good point about adding this setting only in hive-site.xml, that way this privilege will be specific only to hive. On ... Thejas Nair March 3, 2014, 6:45 p.m. Open
I don't see this conf being used anywhere in this patch. Thejas Nair March 7, 2014, 5:38 p.m. Open
thanks for adding javadoc/comments! Thejas Nair March 7, 2014, 5:38 p.m. Open
should we not call this from .close() as well ? We can do that in a follow up jira if ... Thejas Nair March 7, 2014, 5:38 p.m. Open
Never mind. please ignore. Thejas Nair March 7, 2014, 5:40 p.m. Open
In case of a non-kerberos setup, this will do a doAs twice: one time using TUGIContainingProcessor and the second time ... Vaibhav Gumashta March 12, 2014, 9:50 a.m. Open
What does (hiveAuthFactory == null) mean? Vaibhav Gumashta April 4, 2014, 7:43 a.m. Open
Review request changed
Updated (March 10, 2014, 6:39 p.m.)
Address the ptest failures in TestSessionHooks and TestSSL.
Posted (March 12, 2014, 9:50 a.m.)

   

  
In case of a non-kerberos setup, this will do a doAs twice: one time using TUGIContainingProcessor and the second time at the session level. Actually getting rid of doAs at thrift processor level is a good idea since it ensures proper cleanup, but it might involve more work. HIVE-6312 aims to do that (patch available). I'm not sure if doing doAs twice will lead to any new issues (I don't think so).
Posted (April 4, 2014, 7:43 a.m.)

   

  
What does (hiveAuthFactory == null) mean?