You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Mikhail Antonov (JIRA)" <ji...@apache.org> on 2013/08/24 06:52:51 UTC

[jira] [Commented] (HIVE-4707) Support configurable domain name for HiveServer2 LDAP authentication using Active Directory

    [ https://issues.apache.org/jira/browse/HIVE-4707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13749308#comment-13749308 ] 

Mikhail Antonov commented on HIVE-4707:
---------------------------------------

There's email thread regarding LDAP auth for openldap..

http://osdir.com/ml/general/2013-08/msg42378.html

Essentially, if baseDN isn't set, then the bind string is formed as follows:

 // setup the security principal
String bindDN;
if (baseDN != null) {
       bindDN = "uid=" + user + "," + baseDN;
} else {
       bindDN = user;
} 

There should be some configuration, allowing people to customize this bind string, for example use cn= instead of uid=.

Can provide a patch if wanted..
                
> Support configurable domain name for HiveServer2 LDAP authentication using Active Directory
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-4707
>                 URL: https://issues.apache.org/jira/browse/HIVE-4707
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>    Affects Versions: 0.11.0
>            Reporter: Prasad Mujumdar
>            Assignee: Prasad Mujumdar
>             Fix For: 0.12.0
>
>         Attachments: HIVE-4707-1.patch
>
>
> LDAP providers like Active Directory use a fully qualified user name in user@domain format. For HiveServer2 LDAP auth can be used with active directory by passing the userid in that format. This causes hive authentication module to retrun the username in that mangled format. This prohibits LDAP users to be impersonated over secure hadoop or reported correctly in audit etc.
> HiveServer2 should support a configurable LDAP domain that is appended to the user name.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira