[jira] [Created] (LENS-1506) Kerberos authentication in lens

["Ankit Kailaswar (JIRA)" <ji...@apache.org>]

Ankit Kailaswar created LENS-1506:
-------------------------------------

             Summary: Kerberos authentication in lens
                 Key: LENS-1506
                 URL: https://issues.apache.org/jira/browse/LENS-1506
             Project: Apache Lens
          Issue Type: Improvement
          Components: client, driver-hive, python-client, server
            Reporter: Ankit Kailaswar


Current Lens implementation is broken when we try to enable kerberos authentication in lens as mentioned at [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in following ways,
1. openSession REST API fails to create new session for user. Currently it supports only passwd types of authentication.

2. If the underlying hive driver is running with kerberos authentication then driver initialization flow to obtain hive transport for hive driver in lens errors out. Hive server accepts only sasl messages but lens continues using PLAINSASL.

3. If hadoop cluster has kerberos authentication enabled then all hdfs calls (persisting services, all hdfs path in conf etc) fail.
4. Lens as if now doesnt supports refreshing KDC token before it expires.

Changes required in lens to fully support kerberose authentication are as follows,
 # lens's hive driver must use SASL for all communication in to kerberozied hive. Current thrift client for hive doesn't support this functionality.
 # Lens must refresh KDC ticket before it expires.
 # All clients must be authenticated with kerberose authentication before session creation.
 # In kerberos mode all hive driver query should be executed with single cluster user as "lens".



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)