You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@hive.apache.org by GitBox <gi...@apache.org> on 2022/01/19 18:20:54 UTC

[GitHub] [hive] saihemanth-cloudera opened a new pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

saihemanth-cloudera opened a new pull request #2954:
URL: https://github.com/apache/hive/pull/2954


   <!--
   Thanks for sending a pull request!  Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: https://cwiki.apache.org/confluence/display/Hive/HowToContribute
     2. Ensure that you have created an issue on the Hive project JIRA: https://issues.apache.org/jira/projects/HIVE/summary
     3. Ensure you have added or run the appropriate tests for your PR: 
     4. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP]HIVE-XXXXX:  Your PR title ...'.
     5. Be sure to keep the PR description updated to reflect all changes.
     6. Please write your PR title to summarize what this PR proposes.
     7. If possible, provide a concise example to reproduce the issue for a faster review.
   
   -->
   
   ### What changes were proposed in this pull request?
   Introduction multi-authentication support SAML/LDAP in Hive
   <!--
   Please clarify what changes you are proposing. The purpose of this section is to outline the changes and how this PR fixes the issue. 
   If possible, please consider writing useful notes for better and faster reviews in your PR. See the examples below.
     1. If you refactor some codes with changing classes, showing the class hierarchy will help reviewers.
     2. If you fix some SQL features, you can provide some references of other DBMSes.
     3. If there is design documentation, please add the link.
     4. If there is a discussion in the mailing list, please add the link.
   -->
   
   
   ### Why are the changes needed?
   So that users can connect to Hive either using SAML or LDAP concurrently.
   <!--
   Please clarify why the changes are needed. For instance,
     1. If you propose a new API, clarify the use case for a new API.
     2. If you fix a bug, you can clarify why it is a bug.
   -->
   
   
   ### Does this PR introduce _any_ user-facing change?
   The config: hive.server2.authentication can take comma-separated value SAML,LDAP. Previously it would only take either SAML or LDAP.
   <!--
   Note that it means *any* user-facing change including all aspects such as the documentation fix.
   If yes, please clarify the previous behavior and the change this PR proposes - provide the console output, description, screenshot and/or a reproducable example to show the behavior difference if possible.
   If possible, please also clarify if this is a user-facing change compared to the released Hive versions or within the unreleased branches such as master.
   If no, write 'No'.
   -->
   
   
   ### How was this patch tested?
   Local machine, Remote cluster.
   <!--
   If tests were added, say they were added here. Please make sure to add some test cases that check the changes thoroughly including negative and positive cases if possible.
   If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future.
   If tests were not added, please describe why they were not added and/or why it was difficult to add.
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] nrg4878 commented on a change in pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797943031



##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             }
           } else if (HiveSamlUtils.isSamlAuthMode(authType)) {
             // check if this request needs a SAML redirect
-            if (needsRedirect(request, response)) {
+            String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+            if ((authHeader == null || authHeader.isEmpty()) && needsRedirect(request, response)) {
               doSamlRedirect(request, response);
               return;
+            } else if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+              //LDAP Authentication if the header starts with Basic
+              clientUserName = doPasswdAuth(request, HiveAuthConstants.AuthTypes.NONE.toString());

Review comment:
       @hsnusonic to answer your question, yes. This should be the first check in the authentication process. We dont expect this trust header to exist in many scenarios. Sai will be looking to rearrange the code upstream.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] hsnusonic commented on a change in pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
hsnusonic commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r796941624



##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             }
           } else if (HiveSamlUtils.isSamlAuthMode(authType)) {

Review comment:
       If `authType` contains `"KERBEROS"`, then this condition block will never be executed. Was the plan to support kerberos and SAML in the same time?

##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             }
           } else if (HiveSamlUtils.isSamlAuthMode(authType)) {
             // check if this request needs a SAML redirect
-            if (needsRedirect(request, response)) {
+            String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+            if ((authHeader == null || authHeader.isEmpty()) && needsRedirect(request, response)) {
               doSamlRedirect(request, response);
               return;
+            } else if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+              //LDAP Authentication if the header starts with Basic
+              clientUserName = doPasswdAuth(request, HiveAuthConstants.AuthTypes.NONE.toString());

Review comment:
       Do we need to handle the case that `HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER` is present?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] saihemanth-cloudera closed pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
saihemanth-cloudera closed pull request #2954:
URL: https://github.com/apache/hive/pull/2954


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] nrg4878 commented on a change in pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797056288



##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             }
           } else if (HiveSamlUtils.isSamlAuthMode(authType)) {
             // check if this request needs a SAML redirect
-            if (needsRedirect(request, response)) {
+            String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+            if ((authHeader == null || authHeader.isEmpty()) && needsRedirect(request, response)) {
               doSamlRedirect(request, response);
               return;
+            } else if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+              //LDAP Authentication if the header starts with Basic
+              clientUserName = doPasswdAuth(request, HiveAuthConstants.AuthTypes.NONE.toString());

Review comment:
       so HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER is for scenarios when the authentication is performed at a boundary service like knox/sidecars etc. After the auth is performed, the authenticator will add this TRUST header into the request and along with the username and forward the request to the service.
   HS2 will trust that the authentication has already been done and relies on it.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] nrg4878 commented on a change in pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797053517



##########
File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             }
           } else if (HiveSamlUtils.isSamlAuthMode(authType)) {

Review comment:
       so we have had trouble supporting kerberos + other forms of authentication in parallel. So the plan is to NOT support parallel auth forms when it is KERBEROS.
   Initially, in http mode, it will be LDAP/SAML/JWT in parallel.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] nrg4878 commented on pull request #2954: HIVE-25875: Hive support for Multi-authentication types (SAML and LDAP)

Posted by GitBox <gi...@apache.org>.
nrg4878 commented on pull request #2954:
URL: https://github.com/apache/hive/pull/2954#issuecomment-1028883535


   Fix has been merged to master. Please close the PR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org