[
https://issues.apache.org/jira/browse/HIVE-5155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13767558#comment-13767558
]
Hive QA commented on HIVE-5155:
-------------------------------
{color:red}Overall{color}: -1 at least one tests failed
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12603083/HIVE-5155.3.patch
{color:red}ERROR:{color} -1 due to 1 failed/errored test(s), 3107 tests executed
*Failed tests:*
{noformat}
org.apache.hive.jdbc.TestJdbcDriver2.testBadURL
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/745/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/745/console
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests failed with: TestsFailedException: 1 tests failed
{noformat}
This message is automatically generated.
> Support secure proxy user access to HiveServer2
> -----------------------------------------------
>
> Key: HIVE-5155
> URL: https://issues.apache.org/jira/browse/HIVE-5155
> Project: Hive
> Issue Type: Improvement
> Components: Authentication, HiveServer2, JDBC
> Affects Versions: 0.12.0
> Reporter: Prasad Mujumdar
> Assignee: Prasad Mujumdar
> Attachments: HIVE-5155-1-nothrift.patch, HIVE-5155.1.patch,
> HIVE-5155.2.patch, HIVE-5155.3.patch, HIVE-5155-noThrift.2.patch,
> ProxyAuth.java
>
>
> The HiveServer2 can authenticate a client using via Kerberos and impersonate
> the connecting user with underlying secure hadoop. This becomes a gateway for
> a remote client to access secure hadoop cluster. Now this works fine for when
> the client obtains Kerberos ticket and directly connects to HiveServer2.
> There's another big use case for middleware tools where the end user wants to
> access Hive via another server. For example Oozie action or Hue submitting
> queries or a BI tool server accessing to HiveServer2. In these cases, the
> third party server doesn't have end user's Kerberos credentials and hence it
> can't submit queries to HiveServer2 on behalf of the end user.
> This ticket is for enabling proxy access to HiveServer2 for third party tools
> on behalf of end users. There are two parts of the solution proposed in this
> ticket:
> 1) Delegation token based connection for Oozie (OOZIE-1457)
> This is the common mechanism for Hadoop ecosystem components. Hive Remote
> Metastore and HCatalog already support this. This is suitable for tool like
> Oozie that submits the MR jobs as actions on behalf of its client. Oozie
> already uses similar mechanism for Metastore/HCatalog access.
> 2) Direct proxy access for privileged hadoop users
> The delegation token implementation can be a challenge for non-hadoop
> (especially non-java) components. This second part enables a privileged user
> to directly specify an alternate session user during the connection. If the
> connecting user has hadoop level privilege to impersonate the requested
> userid, then HiveServer2 will run the session as that requested user. For
> example, user Hue is allowed to impersonate user Bob (via core-site.xml proxy
> user configuration). Then user Hue can connect to HiveServer2 and specify Bob
> as session user via a session property. HiveServer2 will verify Hue's proxy
> user privilege and then impersonate user Bob instead of Hue. This will enable
> any third party tool to impersonate alternate userid without having to
> implement delegation token connection.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
