You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2017/07/27 19:11:00 UTC

[jira] [Created] (HIVE-17187) WebHCat SPNEGO support is incompleted

Eric Yang created HIVE-17187:
--------------------------------

             Summary: WebHCat SPNEGO support is incompleted
                 Key: HIVE-17187
                 URL: https://issues.apache.org/jira/browse/HIVE-17187
             Project: Hive
          Issue Type: Bug
          Components: WebHCat
    Affects Versions: 1.2.1
            Reporter: Eric Yang


[Some online document|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/spnego_setup_for_webhcat.html] describes how to setup WebHCat with SPNEGO support.  However, there could be multiple services use SPNEGO on the same host.  For example, HBase REST API can also setup to use HTTP principal for SPNEGO support.  When HTTP principal is shared among other services, Hadoop proxy user settings can not identify the origin of doAs call with HTTP principal, is invoked by HBase REST API or WebHCat.  Ideally, WebHCat should keep track of its own service principal independent of SPNEGO principal to ensure that SPNEGO principal is only given authentication access.  SPNEGO principal should not be used in proxy user setting to grant authorization access.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)