You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ng...@apache.org on 2021/11/18 15:20:27 UTC
[hive] branch master updated: HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam)
This is an automated email from the ASF dual-hosted git repository.
ngangam pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 280632d HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam)
280632d is described below
commit 280632d47f764507b4dcccd524ef8640cc1537b5
Author: saihemanth <sa...@cloudera.com>
AuthorDate: Mon Jul 19 11:33:03 2021 -0700
HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam)
---
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java | 5 +++++
.../org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index ad60447..ff54593 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3737,6 +3737,11 @@ public class HiveConf extends Configuration {
"The parent node in ZooKeeper used by HiveServer2 when supporting dynamic service discovery."),
HIVE_SERVER2_ZOOKEEPER_PUBLISH_CONFIGS("hive.server2.zookeeper.publish.configs", true,
"Whether we should publish HiveServer2's configs to ZooKeeper."),
+ HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER("hive.server2.proxy.trustheader", "", "This config " +
+ "indicates whether the connection is authenticated before the requests lands on HiveServer2, So that we can" +
+ "avoid the authentication is again in HS2. Default value is empty, if it's value is set to some header say " +
+ "'X-Trusted-Proxy-Auth-Header' then we need to look for this header in the connection string, if present " +
+ "we directly extarct the client name from header."),
// HiveServer2 global init file location
HIVE_SERVER2_GLOBAL_INIT_FILE_LOCATION("hive.server2.global.init.file.location", "${env:HIVE_CONF_DIR}",
diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index f734c40..20274ff 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -222,8 +222,13 @@ public class ThriftHttpServlet extends TServlet {
clientUserName = doSamlAuth(request, response);
}
} else {
- // For password based authentication
- clientUserName = doPasswdAuth(request, authType);
+ String proxyHeader = HiveConf.getVar(hiveConf, ConfVars.HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER).trim();
+ if (!proxyHeader.equals("") && request.getHeader(proxyHeader) != null) { //Trusted header is present, which means the user is already authorized.
+ clientUserName = getUsername(request, authType);
+ } else {
+ // For password based authentication
+ clientUserName = doPasswdAuth(request, authType);
+ }
}
}
}