You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Sourabh Goyal (Jira)" <ji...@apache.org> on 2022/05/12 19:10:00 UTC
[jira] [Comment Edited] (HIVE-26071) JWT authentication for Thrift over HTTP in HiveMetaStore
[ https://issues.apache.org/jira/browse/HIVE-26071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17536298#comment-17536298 ]
Sourabh Goyal edited comment on HIVE-26071 at 5/12/22 7:09 PM:
---------------------------------------------------------------
[~adondon] : Please find the answers
* Would it be possible to run both protocol at same time (thrift and http?)
- No. Only one mode can be enabled. But if there is a need, it should be easy to extend the current implementation to support both modes together
* What's about the Authenticator interface to get for example the username or groups in the jwt claims? For what i saw but i am not sure the Authenticator interface is quite couple with hadoop/kerberos ugi ?
- You are right, the authentication in JWT is not coupled with Kerberos. The user is expected to set the username (in the subject field) in the JWT and send that JWT in the header request to metastore server. The server, after validating the token, extracts the username from the subject field, executes the operation as that user via ugi.doAs().
* Is there already a design today to allow like storage based authorization implementation where authenticator can get information of who is authenticated but not Hadoop related?
- Not sure if I understand it correctly. In the current implementation, metastore server during start phase, fetches jwks from a configurable url and validates all the future JWTs using this set.
Let me know if you have any thoughts/concerns.
was (Author: sourabh912):
[~adondon] : Please find the answers
* Would it be possible to run both protocol at same time (thrift and http?)
- No. Only one mode can be enabled. But if there is a need, it should be easy to extend the current implementation to support both modes together
* What's about the Authenticator interface to get for example the username or groups in the jwt claims? For what i saw but i am not sure the Authenticator interface is quite couple with hadoop/kerberos ugi ?
- You are right, the authentication in JWT is not coupled with Kerberos. The user is expected to set the username (in the subject field) in the JWT and send that JWT in the header request to metastore server. The server, after validating the token, extracts the username from the subject field, executes the operation as that user via ugi.doAs().
* Is there already a design today to allow like storage based authorization implementation where authenticator can get information of who is authenticated but not Hadoop related?
- Not sure if I understand it correctly. In the current implementation, metastore server during start phase, fetches jwks from a configurable url and validates all the future JWTs using this set.
Let me know if you have any thoughts/concerns.
> JWT authentication for Thrift over HTTP in HiveMetaStore
> --------------------------------------------------------
>
> Key: HIVE-26071
> URL: https://issues.apache.org/jira/browse/HIVE-26071
> Project: Hive
> Issue Type: New Feature
> Components: Standalone Metastore
> Reporter: Sourabh Goyal
> Assignee: Sourabh Goyal
> Priority: Major
> Labels: pull-request-available
> Time Spent: 7h
> Remaining Estimate: 0h
>
> HIVE-25575 recently added a support for JWT authentication in HS2. This Jira aims to add the same feature in HMS
--
This message was sent by Atlassian Jira
(v8.20.7#820007)