You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/02/18 09:11:00 UTC
[jira] [Commented] (IMPALA-10496) Support SAML authentication in
Impyla
[ https://issues.apache.org/jira/browse/IMPALA-10496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286371#comment-17286371 ]
ASF subversion and git services commented on IMPALA-10496:
----------------------------------------------------------
Commit 08cb4d36d206a1e218fe76dc83639dc581a0943b in impala's branch refs/heads/master from Csaba Ringhofer
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=08cb4d3 ]
IMPALA-10496: SAML implementation in Impala
The bulk of the SAML2 related code is done on Java side because:
- There is already an implementation for Hive on review (HIVE-24543).
- The only SAML lib for c++ seems to be OpenSaml, which is seemed
quite hard to use and a heavy dependency.
Doing authentication in Java needed some plumbing, as the hs2-http
port is listened to in c++ and http related processing happens in
THttpServer/THttpTransport, which is not a "real" web server, just
a simple http implementation that processes the headers and passes
content to the thrift service.
- Http headers (and in one case body) are inspected and if it is
SAML related, the http request is wrapped in TWrappedHttpRequest
and sent to the Frontend. The Frontend processes it and returns
a TWrappedHttpResponse with the info to return to the client.
- After the last SAML message (with the bearer token) we generate
an auth cookie in c++ (which can be validated in c++), so later
requests in the session don't need to call to Java.
SAML auth can work alongside LDAP and Kerberos - for each hs2-http
request the path and the http headers are inspected to decide
whether it is SAML related, and if not, then we fallback to other
auth mechanisms. This "mixed mode" has no tests yet, so I consider it
experimental.
Planned followup work:
- It would be great to import the logic implemented in Hive instead
of copy-pasting most of it. I plan to do this in a followup commit,
as this needs changes on the Hive side too.
- Adding more tests will be much easier once we will have a hs2-http
client that supports SAML. See IMPALA-10496 for Impyla support.
- Currently the debug webserver does not support SAML auth.
Implementing SAML for the webserver is problematic on the statestore
which doesn't have a Frontend.
Testing:
- Added EE tests that use Python's urllib2 to sent SAML
requests to Impala. Impala works slightly differently
during tests (saml2_ee_test_mode=true).
Change-Id: Ia0c026cba1b90e7ff6ec5ae49be78b0d1edd8dfa
Reviewed-on: http://gerrit.cloudera.org:8080/16833
Reviewed-by: Thomas Tauber-Marshall <tm...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Support SAML authentication in Impyla
> -------------------------------------
>
> Key: IMPALA-10496
> URL: https://issues.apache.org/jira/browse/IMPALA-10496
> Project: IMPALA
> Issue Type: Improvement
> Components: Clients
> Reporter: Csaba Ringhofer
> Priority: Major
> Labels: impyla
>
> IMPALA-10437 adds SAML2 browser profile support to Impala.
> Supporting it in Impyla would allow implementing SAML auth for Impala shell, and make SAML related EE tests simpler.
> The simplest way would be to allow passing a bearer token in https://github.com/cloudera/impyla/blob/0914895830609001b9d4f535573cba8db487d45e/impala/hiveserver2.py#L796
> I am not sure about the other parts of the SAML logic (e.g. communication with the browser) - it could be added to Impyla too or reside in Impala shell.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org