You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Stig Rohde Døssing <st...@gmail.com> on 2019/03/13 07:09:57 UTC

Hive-streaming security

Hi,

The hive-hcatalog-streaming client (HiveEndpoint) took a
UserGroupInformation in the constructor for connections, and automatically
wrapped calls as necessary with UserGroupInformation.doAs.

I'm migrating an application from hive-hcatalog-streaming to
hive-streaming. There's no mention of security at
https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2,
and I don't see any doAs in the code. Should I manually wrap calls to
HiveStreamingConnection with doAs, or is this handled by the new client? If
so, is there a list of calls that should be wrapped?

Re: Hive-streaming security

Posted by Stig Rohde Døssing <st...@gmail.com>.

Thanks for the explanation.

Den ons. 13. mar. 2019 kl. 08.54 skrev Prasanth Jayachandran <
pjayachandran@hortonworks.com>:

> Hi,
>
> The hive-hcatalog-streaming client (HiveEndpoint) took a
> UserGroupInformation in the constructor for connections, and automatically
> wrapped calls as necessary with UserGroupInformation.doAs.
>
> I'm migrating an application from hive-hcatalog-streaming to
> hive-streaming. There's no mention of security at
> https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2,
> and I don't see any doAs in the code. Should I manually wrap calls to
> HiveStreamingConnection with doAs, or is this handled by the new client? If
> so, is there a list of calls that should be wrapped?
>

Re: Hive-streaming security

Posted by Prasanth Jayachandran <pj...@hortonworks.com>.

?Yes. That's right. In secure mode, the streaming connection will set hive.metastore.sasl.enabled to true which will create an UGI assuming transport so all thrift calls are done using logged in user.

Thanks and Regards
Prasanth Jayachandran
________________________________
From: Stig Rohde Døssing <st...@gmail.com>
Sent: Wednesday, March 13, 2019 12:44 AM
To: user@hive.apache.org
Subject: Re: Hive-streaming security

Thanks Prasanth. Is the automatic authentication a property of the underlying MetaStoreClient?

Den ons. 13. mar. 2019 kl. 08.34 skrev Prasanth Jayachandran <pj...@hortonworks.com>>:

Hi

If you are logged in, the hive streaming ingest API will use doAs for all metastore calls automatically using the logged in user.

Thanks and Regards
Prasanth Jayachandran
________________________________
From: Stig Rohde Døssing <st...@gmail.com>>
Sent: Wednesday, March 13, 2019 12:19 AM
To: user@hive.apache.org<ma...@hive.apache.org>
Subject: Re: Hive-streaming security

Sorry, should have looked harder. The docs say to log in before invoking the API. I think this means I should be wrapping calls with doAs?

Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <st...@gmail.com>>:
Hi,

The hive-hcatalog-streaming client (HiveEndpoint) took a UserGroupInformation in the constructor for connections, and automatically wrapped calls as necessary with UserGroupInformation.doAs.

I'm migrating an application from hive-hcatalog-streaming to hive-streaming. There's no mention of security at https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2, and I don't see any doAs in the code. Should I manually wrap calls to HiveStreamingConnection with doAs, or is this handled by the new client? If so, is there a list of calls that should be wrapped?

Re: Hive-streaming security

Posted by Stig Rohde Døssing <st...@gmail.com>.

Thanks Prasanth. Is the automatic authentication a property of the
underlying MetaStoreClient?

Den ons. 13. mar. 2019 kl. 08.34 skrev Prasanth Jayachandran <
pjayachandran@hortonworks.com>:

> Hi
>
> If you are logged in, the hive streaming ingest API will use doAs for all
> metastore calls automatically using the logged in user.
>
>
> Thanks and Regards
> Prasanth Jayachandran
> ------------------------------
> *From:* Stig Rohde Døssing <st...@gmail.com>
> *Sent:* Wednesday, March 13, 2019 12:19 AM
> *To:* user@hive.apache.org
> *Subject:* Re: Hive-streaming security
>
> Sorry, should have looked harder. The docs say to log in before invoking
> the API. I think this means I should be wrapping calls with doAs?
>
> Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <
> stigdoessing@gmail.com>:
>
>> Hi,
>>
>> The hive-hcatalog-streaming client (HiveEndpoint) took a
>> UserGroupInformation in the constructor for connections, and automatically
>> wrapped calls as necessary with UserGroupInformation.doAs.
>>
>> I'm migrating an application from hive-hcatalog-streaming to
>> hive-streaming. There's no mention of security at
>> https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2,
>> and I don't see any doAs in the code. Should I manually wrap calls to
>> HiveStreamingConnection with doAs, or is this handled by the new client? If
>> so, is there a list of calls that should be wrapped?
>>
>

Re: Hive-streaming security

Posted by Prasanth Jayachandran <pj...@hortonworks.com>.

Hi

If you are logged in, the hive streaming ingest API will use doAs for all metastore calls automatically using the logged in user.


Thanks and Regards
Prasanth Jayachandran
________________________________
From: Stig Rohde Døssing <st...@gmail.com>
Sent: Wednesday, March 13, 2019 12:19 AM
To: user@hive.apache.org
Subject: Re: Hive-streaming security

Sorry, should have looked harder. The docs say to log in before invoking the API. I think this means I should be wrapping calls with doAs?

Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <st...@gmail.com>>:
Hi,

The hive-hcatalog-streaming client (HiveEndpoint) took a UserGroupInformation in the constructor for connections, and automatically wrapped calls as necessary with UserGroupInformation.doAs.

I'm migrating an application from hive-hcatalog-streaming to hive-streaming. There's no mention of security at https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2, and I don't see any doAs in the code. Should I manually wrap calls to HiveStreamingConnection with doAs, or is this handled by the new client? If so, is there a list of calls that should be wrapped?

Re: Hive-streaming security

Posted by Stig Rohde Døssing <st...@gmail.com>.

Sorry, should have looked harder. The docs say to log in before invoking
the API. I think this means I should be wrapping calls with doAs?

Den ons. 13. mar. 2019 kl. 08.09 skrev Stig Rohde Døssing <
stigdoessing@gmail.com>:

> Hi,
>
> The hive-hcatalog-streaming client (HiveEndpoint) took a
> UserGroupInformation in the constructor for connections, and automatically
> wrapped calls as necessary with UserGroupInformation.doAs.
>
> I'm migrating an application from hive-hcatalog-streaming to
> hive-streaming. There's no mention of security at
> https://cwiki.apache.org/confluence/display/Hive/Streaming+Data+Ingest+V2,
> and I don't see any doAs in the code. Should I manually wrap calls to
> HiveStreamingConnection with doAs, or is this handled by the new client? If
> so, is there a list of calls that should be wrapped?
>