You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2013/12/04 21:14:04 UTC
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/
-----------------------------------------------------------
(Updated Dec. 4, 2013, 8:13 p.m.)
Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
Changes
-------
Rebased, fixed few minor issues.
Bugs: HIVE-5155
https://issues.apache.org/jira/browse/HIVE-5155
Repository: hive-git
Description
-------
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option
Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user
Note that the diff doesn't include thrift generated code.
Diffs (updated)
-----
beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
service/if/TCLIService.thrift 62a9730
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
Diff: https://reviews.apache.org/r/13845/diff/
Testing
-------
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Thanks,
Prasad Mujumdar
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
> On Dec. 4, 2013, 10:26 p.m., Brock Noland wrote:
> > service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java, line 91
> > <https://reviews.apache.org/r/13845/diff/3/?file=393981#file393981line91>
> >
> > We should verify the hook ran, correct?
yes, since the test relies on the hook to perform the user validation, it's better to verify that the hook itself is executed.
- Prasad
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review29764
-----------------------------------------------------------
On Dec. 4, 2013, 8:13 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 4, 2013, 8:13 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Brock Noland <br...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review29764
-----------------------------------------------------------
I have looked at this before and it looks good to me! There are a couple of nits below but otherwise very good! Nice work!!
beeline/src/java/org/apache/hive/beeline/Commands.java
<https://reviews.apache.org/r/13845/#comment57235>
nit: ws
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/13845/#comment57236>
nit: ws
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/13845/#comment57238>
*THANK* you for the javadoc!
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/13845/#comment57237>
nit: ws
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/13845/#comment57239>
nit: ws
service/if/TCLIService.thrift
<https://reviews.apache.org/r/13845/#comment57240>
nit: ws
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
<https://reviews.apache.org/r/13845/#comment57229>
nit: remove empty comment
service/src/java/org/apache/hive/service/cli/session/SessionManager.java
<https://reviews.apache.org/r/13845/#comment57242>
nit: ws
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57230>
Let's use the LOG instead?
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57231>
Let's use the LOG instead?
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57232>
Let's use the LOG instead?
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57233>
nit: ws
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57234>
nit: ws
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java
<https://reviews.apache.org/r/13845/#comment57244>
Looks like this doesn't have to be public (not referenced anywhere else) and doesn't need the CONSTANT naming convention as well.
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java
<https://reviews.apache.org/r/13845/#comment57245>
We should verify the hook ran, correct?
- Brock Noland
On Dec. 4, 2013, 8:13 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 4, 2013, 8:13 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
> On Dec. 5, 2013, 12:48 a.m., Carl Steinbach wrote:
> > service/if/TCLIService.thrift, line 1041
> > <https://reviews.apache.org/r/13845/diff/3/?file=393966#file393966line1041>
> >
> > Comment out of sync with code.
Updated the comment
> On Dec. 5, 2013, 12:48 a.m., Carl Steinbach wrote:
> > service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java, line 129
> > <https://reviews.apache.org/r/13845/diff/3/?file=393978#file393978line129>
> >
> > Why is CLIService.getDelegationToken() allowed to return a null or empty string?
The check is pushed down, right after the token is extracted from the shim layer.
- Prasad
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review26525
-----------------------------------------------------------
On Dec. 4, 2013, 8:13 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 4, 2013, 8:13 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Carl Steinbach <cw...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review26525
-----------------------------------------------------------
Here's what I caught on a first pass.
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment51748>
TAB
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
<https://reviews.apache.org/r/13845/#comment57262>
hive-default.xml.template?
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
<https://reviews.apache.org/r/13845/#comment57263>
Formatting.
service/if/TCLIService.thrift
<https://reviews.apache.org/r/13845/#comment57259>
Please leave a blank line between message fields with comments.
service/if/TCLIService.thrift
<https://reviews.apache.org/r/13845/#comment57260>
Comment out of sync with code.
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57264>
Why is CLIService.getDelegationToken() allowed to return a null or empty string?
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment57265>
Formatting.
- Carl Steinbach
On Dec. 4, 2013, 8:13 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 4, 2013, 8:13 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Lefty Leverenz <le...@gmail.com>.
> On Feb. 23, 2014, 9:47 a.m., Lefty Leverenz wrote:
> > conf/hive-default.xml.template, line 2111
> > <https://reviews.apache.org/r/13845/diff/4/?file=394500#file394500line2111>
> >
> > Agreed on both points. But as typos go, "requestion" is such a lovely word that it ought to be added to the English language. ;)
Oops, thought this would appear with Thejas's comment (the points are "altername" -> "alternate" and "requestion" -> "request").
- Lefty
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review35241
-----------------------------------------------------------
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
> On Feb. 23, 2014, 9:47 a.m., Lefty Leverenz wrote:
> > conf/hive-default.xml.template, line 2111
> > <https://reviews.apache.org/r/13845/diff/4/?file=394500#file394500line2111>
> >
> > Agreed on both points. But as typos go, "requestion" is such a lovely word that it ought to be added to the English language. ;)
>
> Lefty Leverenz wrote:
> Oops, thought this would appear with Thejas's comment (the points are "altername" -> "alternate" and "requestion" -> "request").
:) My linguistic creativity is inversely proportional to my blood caffeine level ...
sorry about the typos.
- Prasad
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review35241
-----------------------------------------------------------
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Lefty Leverenz <le...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review35241
-----------------------------------------------------------
conf/hive-default.xml.template
<https://reviews.apache.org/r/13845/#comment65695>
Agreed on both points. But as typos go, "requestion" is such a lovely word that it ought to be added to the English language. ;)
- Lefty Leverenz
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review36524
-----------------------------------------------------------
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
<https://reviews.apache.org/r/13845/#comment67518>
I don't see this conf being used anywhere in this patch.
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/13845/#comment67536>
thanks for adding javadoc/comments!
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java
<https://reviews.apache.org/r/13845/#comment67538>
should we not call this from .close() as well ? We can do that in a follow up jira if necessary.
- Thejas Nair
On March 4, 2014, 10:47 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated March 4, 2014, 10:47 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/pom.xml 7449430
> beeline/src/java/org/apache/hive/beeline/BeeLine.java 563d242
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
> beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 388a604
> conf/hive-default.xml.template 3f01e0b
> data/files/ProxyAuth.res PRE-CREATION
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 4102d7a
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
> service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review36539
-----------------------------------------------------------
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
<https://reviews.apache.org/r/13845/#comment67542>
Never mind. please ignore.
- Thejas Nair
On March 4, 2014, 10:47 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated March 4, 2014, 10:47 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/pom.xml 7449430
> beeline/src/java/org/apache/hive/beeline/BeeLine.java 563d242
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
> beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 388a604
> conf/hive-default.xml.template 3f01e0b
> data/files/ProxyAuth.res PRE-CREATION
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 4102d7a
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
> service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Vaibhav Gumashta <vg...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review39522
-----------------------------------------------------------
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment71937>
What does (hiveAuthFactory == null) mean?
- Vaibhav Gumashta
On March 10, 2014, 6:39 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated March 10, 2014, 6:39 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/pom.xml 02bfaaa
> beeline/src/java/org/apache/hive/beeline/BeeLine.java e63a3b0
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
> beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java edc3d38
> conf/hive-default.xml.template a5a85b4
> data/files/ProxyAuth.res PRE-CREATION
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 607fc7a
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 71dc592
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
> service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Vaibhav Gumashta <vg...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review36906
-----------------------------------------------------------
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java
<https://reviews.apache.org/r/13845/#comment68096>
In case of a non-kerberos setup, this will do a doAs twice: one time using TUGIContainingProcessor and the second time at the session level. Actually getting rid of doAs at thrift processor level is a good idea since it ensures proper cleanup, but it might involve more work. HIVE-6312 aims to do that (patch available). I'm not sure if doing doAs twice will lead to any new issues (I don't think so).
- Vaibhav Gumashta
On March 10, 2014, 6:39 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated March 10, 2014, 6:39 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/pom.xml 02bfaaa
> beeline/src/java/org/apache/hive/beeline/BeeLine.java e63a3b0
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
> beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java edc3d38
> conf/hive-default.xml.template a5a85b4
> data/files/ProxyAuth.res PRE-CREATION
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 607fc7a
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 71dc592
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
> service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/
-----------------------------------------------------------
(Updated March 10, 2014, 6:39 p.m.)
Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
Changes
-------
Address the ptest failures in TestSessionHooks and TestSSL.
Bugs: HIVE-5155
https://issues.apache.org/jira/browse/HIVE-5155
Repository: hive-git
Description
-------
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option
Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user
Note that the diff doesn't include thrift generated code.
Diffs (updated)
-----
beeline/pom.xml 02bfaaa
beeline/src/java/org/apache/hive/beeline/BeeLine.java e63a3b0
beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java edc3d38
conf/hive-default.xml.template a5a85b4
data/files/ProxyAuth.res PRE-CREATION
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 607fc7a
jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 71dc592
service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
Diff: https://reviews.apache.org/r/13845/diff/
Testing
-------
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Thanks,
Prasad Mujumdar
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/
-----------------------------------------------------------
(Updated March 4, 2014, 10:47 p.m.)
Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
Changes
-------
Corrected a merge conflict.
Bugs: HIVE-5155
https://issues.apache.org/jira/browse/HIVE-5155
Repository: hive-git
Description
-------
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option
Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user
Note that the diff doesn't include thrift generated code.
Diffs (updated)
-----
beeline/pom.xml 7449430
beeline/src/java/org/apache/hive/beeline/BeeLine.java 563d242
beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 388a604
conf/hive-default.xml.template 3f01e0b
data/files/ProxyAuth.res PRE-CREATION
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 4102d7a
jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
Diff: https://reviews.apache.org/r/13845/diff/
Testing
-------
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Thanks,
Prasad Mujumdar
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/
-----------------------------------------------------------
(Updated March 4, 2014, 8:06 a.m.)
Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
Changes
-------
- Addressed review feedback
- Added support for proxy user for non-kerberos auth case. (eg HS2 has LDAP auth with hadoop cluster using Kerberos)
- Extensive integration test. Given that the functionality requires secure cluster, the test is not fully automated and not a junit test. It can be run to test the functionality after setting up a secure HiveServer2 instance.
Bugs: HIVE-5155
https://issues.apache.org/jira/browse/HIVE-5155
Repository: hive-git
Description
-------
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option
Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user
Note that the diff doesn't include thrift generated code.
Diffs (updated)
-----
beeline/pom.xml 7449430
beeline/src/java/org/apache/hive/beeline/BeeLine.java 563d242
beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java 91e20ec
beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 94178ef
beeline/src/test/org/apache/hive/beeline/ProxyAuthTest.java PRE-CREATION
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 388a604
conf/hive-default.xml.template 3f01e0b
data/files/ProxyAuth.res PRE-CREATION
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 8210e75
jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 4102d7a
jdbc/src/java/org/apache/hive/jdbc/Utils.java 608837e
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d8ba3aa
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
service/src/java/org/apache/hive/service/cli/CLIService.java 2b1e712
service/src/java/org/apache/hive/service/cli/CLIServiceClient.java b9d1489
service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java a31ea94
service/src/java/org/apache/hive/service/cli/ICLIService.java 621d689
service/src/java/org/apache/hive/service/cli/session/HiveSession.java c8fb8ec
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java d6d0d27
service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java b934ebe
service/src/java/org/apache/hive/service/cli/session/SessionManager.java cec3b04
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 26bda5a
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 3675e86
service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 51c8051
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java e205caa
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/DelegationTokenSecretManager.java 29114f0
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java e15ab4e
shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
Diff: https://reviews.apache.org/r/13845/diff/
Testing
-------
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Thanks,
Prasad Mujumdar
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > beeline/src/java/org/apache/hive/beeline/BeeLine.java, line 547
> > <https://reviews.apache.org/r/13845/diff/4/?file=394495#file394495line547>
> >
> > we should document what this option means, in the usage output, and that it is a hive specific option.
> >
Agreed. will updated the docs according.
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > conf/hive-default.xml.template, line 2111
> > <https://reviews.apache.org/r/13845/diff/4/?file=394500#file394500line2111>
> >
> > should "altername" be "alternate" ?
> > requestion => request
> >
Done.
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java, line 528
> > <https://reviews.apache.org/r/13845/diff/4/?file=394522#file394522line528>
> >
> > This would mean that to make a user a proxy user, you would need to make the user a proxy user for all of hadoop. In general for security, it is useful to be able to give users only what they need.
> >
> > Webhcat and oozie follow this model AFAIK. Granting a user proxy user privilege for these services does not require you to make the user a proxy user for hadoop (HDFS, MR).
> >
I do agree with the point that we shouldn't be requiring to grant permissions beyond the minimum required. Here's the rationale for the proposed approach -
- For impersonation cases, the middleware user needs to impersonate the end user at Hadoop level (eg Oozie). If we use a different configuration format, then you need to keep those two setting in sycn. That's an administration nightmare.
- If you do want this to be a hive specific setting (eg. for middleware tools that don't need impersonation), then you can always add it to hive-site.xml. This way you don't need a different configuration format or file, and yet keep the privilege specific to hive service.
- Prasad
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review31384
-----------------------------------------------------------
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review31384
-----------------------------------------------------------
beeline/src/java/org/apache/hive/beeline/BeeLine.java
<https://reviews.apache.org/r/13845/#comment59840>
we should document what this option means, in the usage output, and that it is a hive specific option.
conf/hive-default.xml.template
<https://reviews.apache.org/r/13845/#comment59858>
should "altername" be "alternate" ?
requestion => request
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
<https://reviews.apache.org/r/13845/#comment59857>
This would mean that to make a user a proxy user, you would need to make the user a proxy user for all of hadoop. In general for security, it is useful to be able to give users only what they need.
Webhcat and oozie follow this model AFAIK. Granting a user proxy user privilege for these services does not require you to make the user a proxy user for hadoop (HDFS, MR).
- Thejas Nair
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review36000
-----------------------------------------------------------
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
<https://reviews.apache.org/r/13845/#comment66789>
Good point about adding this setting only in hive-site.xml, that way this privilege will be specific only to hive.
On other hand, all hdfs/mr level proxy users will end up getting privileges in hive as well. But I think that is OK, as they already would be privileged users at webhdfs level etc.
- Thejas Nair
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
Posted by Prasad Mujumdar <pr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/
-----------------------------------------------------------
(Updated Dec. 5, 2013, 8:08 p.m.)
Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
Changes
-------
Changes per review feedback
Bugs: HIVE-5155
https://issues.apache.org/jira/browse/HIVE-5155
Repository: hive-git
Description
-------
Delegation token support -
Enable delegation token connection for HiveServer2
Enhance the TCLIService interface to support delegation token requests
Support passing the delegation token connection type via JDBC URL and Beeline option
Direct proxy access -
Define new proxy user property
Shim interfaces to validate proxy access for a given user
Note that the diff doesn't include thrift generated code.
Diffs (updated)
-----
beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
conf/hive-default.xml.template c61a0bb
itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
service/if/TCLIService.thrift 62a9730
service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
Diff: https://reviews.apache.org/r/13845/diff/
Testing
-------
Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
Thanks,
Prasad Mujumdar