You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Trystan Leftwich (JIRA)" <ji...@apache.org> on 2016/06/06 14:30:21 UTC

[jira] [Created] (HIVE-13952) Add the ability to specify the AuthorizationId to Delegate to a user when running in Kerberos Mode.

Trystan Leftwich created HIVE-13952:
---------------------------------------

             Summary: Add the ability to specify the AuthorizationId to Delegate to a user when running in Kerberos Mode.
                 Key: HIVE-13952
                 URL: https://issues.apache.org/jira/browse/HIVE-13952
             Project: Hive
          Issue Type: Improvement
            Reporter: Trystan Leftwich
            Priority: Minor


The improvement here is that the when you are using the AuthorizationID to Delegate to a user, the current SaslGssCallbackHandler will error out because the AuthorizationID and AuthenticationID wont match. Usually the AuthorizationID is null and the handshake sets it to equal AuthenticationID
but if you've already pre-set it the Handshake will pass that to the CallBackHandler which will cause the error.

The use case for this change is as follows:

Setting the AuthorizationID when connecting via JDBC is a form of impersonation, This is usually because you have a service in front of Hive delegating to hive via JDBC and using the AuthorizationID to delegate rather than proxy user. This coincides with using Active Directory as your 
Kerberos Back end and wanting to use their Delegation/Constrained Delegation Feature.

This is not uncommon, Both [Zookeeper|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java#L120]
and [Apache Storm|https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java#L86] do something similar.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)