[
https://issues.apache.org/jira/browse/HIVE-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Devaraj Das updated HIVE-1696:
------------------------------
Attachment: hive-1696-1.patch
Patch with a little bit of refactoring on the previous patch. I also removed
the code for checking whether a client is kerberos authenticated in the
getDelegationToken and renewDelegationToken methods. That requires some changes
in a Hadoop security API to have a cleaner implementation. We can do that in a
follow up jira.
> Add delegation token support to metastore
> -----------------------------------------
>
> Key: HIVE-1696
> URL: https://issues.apache.org/jira/browse/HIVE-1696
> Project: Hive
> Issue Type: Sub-task
> Components: Metastore, Security, Server Infrastructure
> Reporter: Todd Lipcon
> Fix For: 0.7.0
>
> Attachments: hive-1696-1-with-gen-code.patch, hive-1696-1.patch,
> hive_1696.patch, hive_1696.patch, hive_1696_no-thrift.patch
>
>
> As discussed in HIVE-842, kerberos authentication is only sufficient for
> authentication of a hive user client to the metastore. There are other cases
> where thrift calls need to be authenticated when the caller is running in an
> environment without kerberos credentials. For example, an MR task running as
> part of a hive job may want to report statistics to the metastore, or a job
> may be running within the context of Oozie or Hive Server.
> This JIRA is to implement support of delegation tokens for the metastore. The
> concept of a delegation token is borrowed from the Hadoop security design -
> the quick summary is that a kerberos-authenticated client may retrieve a
> binary token from the server. This token can then be passed to other clients
> which can use it to achieve authentication as the original user in lieu of a
> kerberos ticket.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
