You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@knox.apache.org by Odon Copon <od...@gmail.com> on 2019/03/13 16:25:30 UTC

Hive CLI behind Knox

After reading Knox documentation I'm not totally sure how Knox can sit in
front of Hive accesses through JDBC/Beeline and Hive CLI.
From the docs, I see it does for JDBC connections so I assume it does for
Beeline as well, as both hit HiveServer2, but what about Hive CLI that go
directly to the Hive Metastore?.
Thanks.

Re: Hive CLI behind Knox

Posted by Kevin Risden <kr...@apache.org>.

>
> some connections might be not able to connect to HS2?
>

Not sure what you mean by "some connections". HTTP mode works for
JDBC/ODBC. There are 2 modes HTTP and binary. Both are thrift it just is a
different protocol. Knox only works with HTTP. Existing binary connections
(which are on a different port typically) will not work but there is
usually a slightly different way to connect over HTTP. This is probably a
better question for the Hive project.


> Would a user be able to bypass Knox by using an old Hive CLI (no beeline
> based) even if HS2 is using the latest Hive version with Hive CLI wrapping
> beeline?
>

If the user has a Kerberos ticket then they would be able to connect I
think. It is more of a question for the Hive project though. Knox can't
enforce access outside of it.

Kevin Risden


On Wed, Mar 20, 2019 at 7:10 AM Odon Copon <od...@gmail.com> wrote:

> Thanks Kevin.
> When you said "Knox with Hive requires HiveServer2 in HTTP mode", does it
> mean once this mode is activated some connections might be not able to
> connect to HS2?
> Would a user be able to bypass Knox by using an old Hive CLI (no beeline
> based) even if HS2 is using the latest Hive version with Hive CLI wrapping
> beeline?
>
> Thanks.
>
> On Wed, 13 Mar 2019 at 17:08, Kevin Risden <kr...@apache.org> wrote:
>
>> I'm not sure which version exactly but this is the umbrella jira tracking
>> all the subtasks:
>>
>> https://issues.apache.org/jira/browse/HIVE-10511
>>
>> Kevin Risden
>>
>>
>> On Wed, Mar 13, 2019 at 1:04 PM Odon Copon <od...@gmail.com> wrote:
>>
>>> Amazing, thanks Kevin for the clarification.
>>> Do you know exactly which version did the transition to beeline?
>>>
>>> On Wed, 13 Mar 2019 at 16:53,
>>> Kevin Risden
>>> <kr...@apache.org> wrote:
>>>
>>>> Knox with Hive requires HiveServer2 in HTTP mode. Hive CLI direct to
>>>> metastore is not supported by Knox. Current versions of Hive as far as I
>>>> know have Hive CLI wrapping beeline by default for SQL queries.
>>>>
>>>> Kevin Risden
>>>>
>>>>
>>>> On Wed, Mar 13, 2019 at 12:49 PM Odon Copon <od...@gmail.com>
>>>> wrote:
>>>>
>>>>> After reading Knox documentation I'm not totally sure how Knox can sit
>>>>> in front of Hive accesses through JDBC/Beeline and Hive CLI.
>>>>> From the docs, I see it does for JDBC connections so I assume it does
>>>>> for Beeline as well, as both hit HiveServer2, but what about Hive CLI that
>>>>> go directly to the Hive Metastore?.
>>>>> Thanks.
>>>>>
>>>>

Re: Hive CLI behind Knox

Posted by Odon Copon <od...@gmail.com>.

Thanks Kevin.
When you said "Knox with Hive requires HiveServer2 in HTTP mode", does it
mean once this mode is activated some connections might be not able to
connect to HS2?
Would a user be able to bypass Knox by using an old Hive CLI (no beeline
based) even if HS2 is using the latest Hive version with Hive CLI wrapping
beeline?

Thanks.

On Wed, 13 Mar 2019 at 17:08, Kevin Risden <kr...@apache.org> wrote:

> I'm not sure which version exactly but this is the umbrella jira tracking
> all the subtasks:
>
> https://issues.apache.org/jira/browse/HIVE-10511
>
> Kevin Risden
>
>
> On Wed, Mar 13, 2019 at 1:04 PM Odon Copon <od...@gmail.com> wrote:
>
>> Amazing, thanks Kevin for the clarification.
>> Do you know exactly which version did the transition to beeline?
>>
>> On Wed, 13 Mar 2019 at 16:53,
>> Kevin Risden
>> <kr...@apache.org> wrote:
>>
>>> Knox with Hive requires HiveServer2 in HTTP mode. Hive CLI direct to
>>> metastore is not supported by Knox. Current versions of Hive as far as I
>>> know have Hive CLI wrapping beeline by default for SQL queries.
>>>
>>> Kevin Risden
>>>
>>>
>>> On Wed, Mar 13, 2019 at 12:49 PM Odon Copon <od...@gmail.com> wrote:
>>>
>>>> After reading Knox documentation I'm not totally sure how Knox can sit
>>>> in front of Hive accesses through JDBC/Beeline and Hive CLI.
>>>> From the docs, I see it does for JDBC connections so I assume it does
>>>> for Beeline as well, as both hit HiveServer2, but what about Hive CLI that
>>>> go directly to the Hive Metastore?.
>>>> Thanks.
>>>>
>>>

Re: Hive CLI behind Knox

Posted by Kevin Risden <kr...@apache.org>.

I'm not sure which version exactly but this is the umbrella jira tracking
all the subtasks:

https://issues.apache.org/jira/browse/HIVE-10511

Kevin Risden


On Wed, Mar 13, 2019 at 1:04 PM Odon Copon <od...@gmail.com> wrote:

> Amazing, thanks Kevin for the clarification.
> Do you know exactly which version did the transition to beeline?
>
> On Wed, 13 Mar 2019 at 16:53,
> Kevin Risden
> <kr...@apache.org> wrote:
>
>> Knox with Hive requires HiveServer2 in HTTP mode. Hive CLI direct to
>> metastore is not supported by Knox. Current versions of Hive as far as I
>> know have Hive CLI wrapping beeline by default for SQL queries.
>>
>> Kevin Risden
>>
>>
>> On Wed, Mar 13, 2019 at 12:49 PM Odon Copon <od...@gmail.com> wrote:
>>
>>> After reading Knox documentation I'm not totally sure how Knox can sit
>>> in front of Hive accesses through JDBC/Beeline and Hive CLI.
>>> From the docs, I see it does for JDBC connections so I assume it does
>>> for Beeline as well, as both hit HiveServer2, but what about Hive CLI that
>>> go directly to the Hive Metastore?.
>>> Thanks.
>>>
>>

Re: Hive CLI behind Knox

Posted by Odon Copon <od...@gmail.com>.

Amazing, thanks Kevin for the clarification.
Do you know exactly which version did the transition to beeline?

On Wed, 13 Mar 2019 at 16:53, Kevin Risden <kr...@apache.org> wrote:

> Knox with Hive requires HiveServer2 in HTTP mode. Hive CLI direct to
> metastore is not supported by Knox. Current versions of Hive as far as I
> know have Hive CLI wrapping beeline by default for SQL queries.
>
> Kevin Risden
>
>
> On Wed, Mar 13, 2019 at 12:49 PM Odon Copon <od...@gmail.com> wrote:
>
>> After reading Knox documentation I'm not totally sure how Knox can sit in
>> front of Hive accesses through JDBC/Beeline and Hive CLI.
>> From the docs, I see it does for JDBC connections so I assume it does for
>> Beeline as well, as both hit HiveServer2, but what about Hive CLI that go
>> directly to the Hive Metastore?.
>> Thanks.
>>
>

Re: Hive CLI behind Knox

Posted by Kevin Risden <kr...@apache.org>.

Knox with Hive requires HiveServer2 in HTTP mode. Hive CLI direct to
metastore is not supported by Knox. Current versions of Hive as far as I
know have Hive CLI wrapping beeline by default for SQL queries.

Kevin Risden

On Wed, Mar 13, 2019 at 12:49 PM Odon Copon <od...@gmail.com> wrote:

> After reading Knox documentation I'm not totally sure how Knox can sit in
> front of Hive accesses through JDBC/Beeline and Hive CLI.
> From the docs, I see it does for JDBC connections so I assume it does for
> Beeline as well, as both hit HiveServer2, but what about Hive CLI that go
> directly to the Hive Metastore?.
> Thanks.
>