You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/02/01 19:53:00 UTC
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[ https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=718941&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-718941 ]
ASF GitHub Bot logged work on HIVE-25875:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 01/Feb/22 19:52
Start Date: 01/Feb/22 19:52
Worklog Time Spent: 10m
Work Description: hsnusonic commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r796941624
##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
Review comment:
If `authType` contains `"KERBEROS"`, then this condition block will never be executed. Was the plan to support kerberos and SAML in the same time?
##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
// check if this request needs a SAML redirect
- if (needsRedirect(request, response)) {
+ String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+ if ((authHeader == null || authHeader.isEmpty()) && needsRedirect(request, response)) {
doSamlRedirect(request, response);
return;
+ } else if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+ //LDAP Authentication if the header starts with Basic
+ clientUserName = doPasswdAuth(request, HiveAuthConstants.AuthTypes.NONE.toString());
Review comment:
Do we need to handle the case that `HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER` is present?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 718941)
Time Spent: 20m (was: 10m)
> Support multiple authentication mechanisms simultaneously
> ----------------------------------------------------------
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 3.1.0
> Reporter: Naveen Gangam
> Assignee: Sai Hemanth Gantasala
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of HiveServer2. Hive should be able to support multiple auth mechanisms on a single instance especially with http transport. for example, LDAP and SAML. In both cases, HS2 ends up with receiving an Authorization Header in the request. Similarly we could be able to support JWT support or other forms of boundary authentication that is done outside of Hive.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)