You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ambari.apache.org by Steve Howard <st...@gmail.com> on 2015/09/17 17:18:24 UTC

LDAP authentication in 2.1.0 with hive.server2.authentication.ldap.baseDN

Ambari 2.1.0 requires a value for the
hive.server2.authentication.ldap.baseDN property. This breaks AD
authentication in hive, as "uid=whatever,OU=Users,DC=domain,DC=com" is not
a usable string for authentication in AD.

The code path in
org.apache.hive.service.auth.LdapAuthenticationProviderImpl hardcodes
"uid=$username" + baseDN. This does not work in AD. We want to simply
authenticate using the LDAP plugin with username@domain. We ended up
changing the org.apache.hive.service.auth.LdapAuthenticationProviderImpl to
allow this to happen. The real fix is to not require the property to have a
value in Ambari, as hive even has an if property is null conditional check.
As such, by definition the hive software doesn't require it so we are
curious as to why Ambari does?

We are currently working with the fix below to
org.apache.hive.service.auth.LdapAuthenticationProviderImpl...

String bindDN;
if (this.baseDN == null) {
  bindDN = user;
} else {
  //bindDN = "uid=" + user + "," + this.baseDN;
  bindDN = user;
}

...but think Ambari should remove the requirement so we can use the out of
the box hive class.

Are we missing something?

Re: LDAP authentication in 2.1.0 with hive.server2.authentication.ldap.baseDN

Posted by Steve Howard <st...@gmail.com>.

We found this, which is a direct hit for the issue...

https://issues.apache.org/jira/browse/AMBARI-12997

We will work this with HortonWorks.

Thanks,

Steve

On Thu, Sep 17, 2015 at 11:18 AM, Steve Howard <st...@gmail.com>
wrote:

> Ambari 2.1.0 requires a value for the
> hive.server2.authentication.ldap.baseDN property. This breaks AD
> authentication in hive, as "uid=whatever,OU=Users,DC=domain,DC=com" is not
> a usable string for authentication in AD.
>
> The code path in
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl hardcodes
> "uid=$username" + baseDN. This does not work in AD. We want to simply
> authenticate using the LDAP plugin with username@domain. We ended up
> changing the org.apache.hive.service.auth.LdapAuthenticationProviderImpl to
> allow this to happen. The real fix is to not require the property to have a
> value in Ambari, as hive even has an if property is null conditional check.
> As such, by definition the hive software doesn't require it so we are
> curious as to why Ambari does?
>
> We are currently working with the fix below to
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl...
>
> String bindDN;
> if (this.baseDN == null) {
>   bindDN = user;
> } else {
>   //bindDN = "uid=" + user + "," + this.baseDN;
>   bindDN = user;
> }
>
> ...but think Ambari should remove the requirement so we can use the out of
> the box hive class.
>
> Are we missing something?
>