You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/03/03 19:02:45 UTC
Re: Review Request 13845: HIVE-5155: Support secure proxy user access to
HiveServer2
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > beeline/src/java/org/apache/hive/beeline/BeeLine.java, line 547
> > <https://reviews.apache.org/r/13845/diff/4/?file=394495#file394495line547>
> >
> > we should document what this option means, in the usage output, and that it is a hive specific option.
> >
Agreed. will updated the docs according.
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > conf/hive-default.xml.template, line 2111
> > <https://reviews.apache.org/r/13845/diff/4/?file=394500#file394500line2111>
> >
> > should "altername" be "alternate" ?
> > requestion => request
> >
Done.
> On Jan. 8, 2014, 9:43 p.m., Thejas Nair wrote:
> > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java, line 528
> > <https://reviews.apache.org/r/13845/diff/4/?file=394522#file394522line528>
> >
> > This would mean that to make a user a proxy user, you would need to make the user a proxy user for all of hadoop. In general for security, it is useful to be able to give users only what they need.
> >
> > Webhcat and oozie follow this model AFAIK. Granting a user proxy user privilege for these services does not require you to make the user a proxy user for hadoop (HDFS, MR).
> >
I do agree with the point that we shouldn't be requiring to grant permissions beyond the minimum required. Here's the rationale for the proposed approach -
- For impersonation cases, the middleware user needs to impersonate the end user at Hadoop level (eg Oozie). If we use a different configuration format, then you need to keep those two setting in sycn. That's an administration nightmare.
- If you do want this to be a hive specific setting (eg. for middleware tools that don't need impersonation), then you can always add it to hive-site.xml. This way you don't need a different configuration format or file, and yet keep the privilege specific to hive service.
- Prasad
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13845/#review31384
-----------------------------------------------------------
On Dec. 5, 2013, 8:08 p.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13845/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2013, 8:08 p.m.)
>
>
> Review request for hive, Brock Noland, Carl Steinbach, and Thejas Nair.
>
>
> Bugs: HIVE-5155
> https://issues.apache.org/jira/browse/HIVE-5155
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> Delegation token support -
> Enable delegation token connection for HiveServer2
> Enhance the TCLIService interface to support delegation token requests
> Support passing the delegation token connection type via JDBC URL and Beeline option
>
> Direct proxy access -
> Define new proxy user property
> Shim interfaces to validate proxy access for a given user
>
> Note that the diff doesn't include thrift generated code.
>
>
> Diffs
> -----
>
> beeline/src/java/org/apache/hive/beeline/BeeLine.java c5e36a5
> beeline/src/java/org/apache/hive/beeline/BeeLineOpts.java c3abba3
> beeline/src/java/org/apache/hive/beeline/Commands.java d2d7fd3
> beeline/src/java/org/apache/hive/beeline/DatabaseConnection.java 1de5829
> common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 36503fa
> conf/hive-default.xml.template c61a0bb
> itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 7b1c9da
> jdbc/src/java/org/apache/hadoop/hive/jdbc/HiveConnection.java d08e05b
> jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java ef39573
> jdbc/src/java/org/apache/hive/jdbc/Utils.java 4d75d98
> service/if/TCLIService.thrift 62a9730
> service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java d80649f
> service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 519556c
> service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java 15b1675
> service/src/java/org/apache/hive/service/cli/CLIService.java 8c85386
> service/src/java/org/apache/hive/service/cli/CLIServiceClient.java 14ef54f
> service/src/java/org/apache/hive/service/cli/EmbeddedCLIServiceClient.java 9dca874
> service/src/java/org/apache/hive/service/cli/ICLIService.java f647ce6
> service/src/java/org/apache/hive/service/cli/session/HiveSession.java 00058cc
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java cfda752
> service/src/java/org/apache/hive/service/cli/session/HiveSessionImplwithUGI.java 708f4e4
> service/src/java/org/apache/hive/service/cli/session/SessionManager.java e262b72
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 9df110e
> service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIServiceClient.java 9bb2a0f
> service/src/test/org/apache/hive/service/auth/TestPlainSaslHelper.java 8fa4afd
> service/src/test/org/apache/hive/service/cli/session/TestSessionHooks.java 2fac800
> shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 6ff1a84
> shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java 84f3ddc
> shims/common-secure/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java dc89de1
> shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 0d5615c
> shims/common/src/main/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 03f4e51
>
> Diff: https://reviews.apache.org/r/13845/diff/
>
>
> Testing
> -------
>
> Since this requires kerberos setup, its tested by a standalone test program that runs various existing and new secure connection scenarios. The test code is attached to the ticket at https://issues.apache.org/jira/secure/attachment/12600119/ProxyAuth.java
>
>
> Thanks,
>
> Prasad Mujumdar
>
>