----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/12824/#review23711 -----------------------------------------------------------
data/conf/hive-site.xml <https://reviews.apache.org/r/12824/#comment47589> This change should go into conf/hive-default.xml.template . data/conf/hive-site.xml is meant to be used for overriding config parameters for the tests. In this case as default value is being used, this file does not need changing. jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java <https://reviews.apache.org/r/12824/#comment47597> the HIVE_AUTH_TYPE env variable is called "auth". Should we use something more descriptive like "sasl.qop" as the variable that sets the QOP level. jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java <https://reviews.apache.org/r/12824/#comment47590> It is a good general practice to chain the exceptions. - throw new SQLException("Invalid " + HIVE_AUTH_TYPE + " parameter. " + e.getMessage(), "42000", e); service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java <https://reviews.apache.org/r/12824/#comment47596> I think hadoop.rpc.protection being set to a higher level than hive.server2.thrift.rpc.protection does not make sense in most situations (you would want to have more security in the transport that is likely to be more unsecure. THe HS2 -> client transport could be over a corporate wide wi-fi network) Should we warn if such a configuration is seen ? shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java <https://reviews.apache.org/r/12824/#comment47595> This function is called from hive metastore client. Using SaslRpcServer.SASL_PROPS here means that setting hadoop.rpc.protection will determine the QOP level, if we make a call to SaslRpcServer.init(conf) from anywhere in the code. But that function is not being called. I think it makes sense to use hadoop.rpc.protection for metastore QOP, since metastore usually not exposed 'outside' the cluster unlike hive server2. It is often viewed as something 'inside the cluster'. Should we change this function to take in a configuration object and use that to call SaslRpcServer.init(conf) ? - Thejas Nair On July 22, 2013, 8:56 p.m., Arup Malakar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/12824/ > ----------------------------------------------------------- > > (Updated July 22, 2013, 8:56 p.m.) > > > Review request for hive. > > > Bugs: HIVE-4911 > https://issues.apache.org/jira/browse/HIVE-4911 > > > Repository: hive-git > > > Description > ------- > > The QoP for hive server 2 should be configurable to enable encryption. A new > configuration should be exposed "hive.server2.thrift.rpc.protection". This > would give greater control configuring hive server 2 service. > > > Diffs > ----- > > common/src/java/org/apache/hadoop/hive/conf/HiveConf.java > 11c31216495d0c4e454f2627af5c93a9f270b1fe > data/conf/hive-site.xml 4e6ff16135833da1a4df12a12a6fe59ad4f870ba > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java > 00f43511b478c687b7811fc8ad66af2b507a3626 > service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java > 1809e1b26ceee5de14a354a0e499aa8c0ab793bf > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java > 379dafb8377aed55e74f0ae18407996bb9e1216f > service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION > > shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java > 777226f8da0af2235d4294cd6a676fa8192c89e4 > > shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java > 9b0ec0a75563b41339e6fc747556440fdf83e31e > > Diff: https://reviews.apache.org/r/12824/diff/ > > > Testing > ------- > > > Thanks, > > Arup Malakar > >
