You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/03/09 18:05:00 UTC
[jira] [Work logged] (HIVE-24543) Support SAML 2.0 as an
authentication mechanism
[ https://issues.apache.org/jira/browse/HIVE-24543?focusedWorklogId=563247&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-563247 ]
ASF GitHub Bot logged work on HIVE-24543:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Mar/21 18:04
Start Date: 09/Mar/21 18:04
Worklog Time Spent: 10m
Work Description: nrg4878 commented on a change in pull request #1791:
URL: https://github.com/apache/hive/pull/1791#discussion_r590599037
##########
File path: service/src/java/org/apache/hive/service/auth/saml/HiveSamlGroupNameFilter.java
##########
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service.auth.saml;
+
+import com.google.common.base.Predicate;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.pac4j.saml.credentials.SAML2Credentials.SAMLAttribute;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class HiveSamlGroupNameFilter implements Predicate<SAMLAttribute> {
+
+ private static final Logger LOG = LoggerFactory
+ .getLogger(HiveSamlGroupNameFilter.class);
+ private final List<String> groupNames;
+ private static final Splitter COMMA_SPLITTER = Splitter.on(',').trimResults()
+ .omitEmptyStrings();
+ private final String attributeName;
+
+ public HiveSamlGroupNameFilter(HiveConf conf) {
+ String groupNameStr = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_FILTER.varname);
+ attributeName = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_ATTRIBUTE_NAME.varname, "");
+ ImmutableList.Builder<String> builder = ImmutableList.builder();
+ if (groupNameStr != null && !groupNameStr.isEmpty()) {
+ builder
+ .addAll(COMMA_SPLITTER.split(groupNameStr));
+ }
+ groupNames = builder.build();
+ LOG.debug("Initialized allowed group names as {}", groupNames);
Review comment:
We should not be logging configured user and group filters to the logs regardless of the log levels. User's security configuration might be inadvertently logged to the files that are then distributed. Can you please create a follow up jira to review such statements.
##########
File path: service/src/java/org/apache/hive/service/auth/saml/HiveSamlGroupNameFilter.java
##########
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service.auth.saml;
+
+import com.google.common.base.Predicate;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.pac4j.saml.credentials.SAML2Credentials.SAMLAttribute;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class HiveSamlGroupNameFilter implements Predicate<SAMLAttribute> {
+
+ private static final Logger LOG = LoggerFactory
+ .getLogger(HiveSamlGroupNameFilter.class);
+ private final List<String> groupNames;
+ private static final Splitter COMMA_SPLITTER = Splitter.on(',').trimResults()
+ .omitEmptyStrings();
+ private final String attributeName;
+
+ public HiveSamlGroupNameFilter(HiveConf conf) {
+ String groupNameStr = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_FILTER.varname);
+ attributeName = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_ATTRIBUTE_NAME.varname, "");
+ ImmutableList.Builder<String> builder = ImmutableList.builder();
+ if (groupNameStr != null && !groupNameStr.isEmpty()) {
+ builder
+ .addAll(COMMA_SPLITTER.split(groupNameStr));
+ }
+ groupNames = builder.build();
+ LOG.debug("Initialized allowed group names as {}", groupNames);
+ }
+
+ public boolean apply(List<SAMLAttribute> attributes) {
+ if (attributeName.isEmpty() && attributes.size() == 0) {
+ return true;
+ }
+ for (SAMLAttribute attribute : attributes) {
+ if (apply(attribute)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ @Override
+ public boolean apply(SAMLAttribute attribute) {
+ if (attributeName.isEmpty()) {
+ // if attributeName is not configured, then it means groups based
+ // filtering is not enabled and we allow any authenticated user.
+ return true;
+ }
+ if (attribute == null || attribute.getName() == null) {
+ return false;
+ }
+ if (!attributeName.equals(attribute.getName())) {
+ LOG.debug("Attribute name {} did not match with {}", attribute.getName(),
Review comment:
ditto
##########
File path: service/src/java/org/apache/hive/service/auth/saml/HiveSamlGroupNameFilter.java
##########
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service.auth.saml;
+
+import com.google.common.base.Predicate;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.pac4j.saml.credentials.SAML2Credentials.SAMLAttribute;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class HiveSamlGroupNameFilter implements Predicate<SAMLAttribute> {
+
+ private static final Logger LOG = LoggerFactory
+ .getLogger(HiveSamlGroupNameFilter.class);
+ private final List<String> groupNames;
+ private static final Splitter COMMA_SPLITTER = Splitter.on(',').trimResults()
+ .omitEmptyStrings();
+ private final String attributeName;
+
+ public HiveSamlGroupNameFilter(HiveConf conf) {
+ String groupNameStr = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_FILTER.varname);
+ attributeName = conf.get(ConfVars.HIVE_SERVER2_SAML_GROUP_ATTRIBUTE_NAME.varname, "");
+ ImmutableList.Builder<String> builder = ImmutableList.builder();
+ if (groupNameStr != null && !groupNameStr.isEmpty()) {
+ builder
+ .addAll(COMMA_SPLITTER.split(groupNameStr));
+ }
+ groupNames = builder.build();
+ LOG.debug("Initialized allowed group names as {}", groupNames);
+ }
+
+ public boolean apply(List<SAMLAttribute> attributes) {
+ if (attributeName.isEmpty() && attributes.size() == 0) {
+ return true;
+ }
+ for (SAMLAttribute attribute : attributes) {
+ if (apply(attribute)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ @Override
+ public boolean apply(SAMLAttribute attribute) {
+ if (attributeName.isEmpty()) {
+ // if attributeName is not configured, then it means groups based
+ // filtering is not enabled and we allow any authenticated user.
+ return true;
+ }
+ if (attribute == null || attribute.getName() == null) {
+ return false;
+ }
+ if (!attributeName.equals(attribute.getName())) {
+ LOG.debug("Attribute name {} did not match with {}", attribute.getName(),
+ attributeName);
+ return false;
+ }
+ for (String attrVal : attribute.getAttributeValues()) {
+ LOG.debug("Evaluating group name {}", attrVal);
Review comment:
ditto
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 563247)
Time Spent: 5h (was: 4h 50m)
> Support SAML 2.0 as an authentication mechanism
> -----------------------------------------------
>
> Key: HIVE-24543
> URL: https://issues.apache.org/jira/browse/HIVE-24543
> Project: Hive
> Issue Type: New Feature
> Reporter: Vihang Karajgaonkar
> Assignee: Vihang Karajgaonkar
> Priority: Major
> Labels: pull-request-available
> Time Spent: 5h
> Remaining Estimate: 0h
>
> With cloud based deployments, having a SAML 2.0 based authentication support in HS2 will be greatly useful in case of federated or external identity providers like Okta, PingIdentity or Azure AD.
> This authentication mechanism can initially be only supported on http transport mode in HiveServer2 since the SAML 2.0 protocol is primarily designed for web clients.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)