> On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: > > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line > > 68 > > <https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68> > > > > Can you push this to > > HadoopThriftAuthBridge.Client#createClientTransport just like the way the > > else portion does instead of the createSubjectAssumedTransport method? From > > within the method you can return the TSubjectAssumingTransport. > > Shivaraju Gowda wrote: > Again this was in my first cut. I was passing the value as "tokenStrForm" > parameter to keep the method signature same. I later moved away from it since > it was not elegant and changing the method signature involved broader > implications. I felt this functionality didn't belong in Hadoop shim layer. > Having the change in there also meant one more jar getting > affected(hive-exec.jar) > > > Shivaraju Gowda wrote: > Another issue was the dependency on hadoop.core.jar. The calls > AuthMethod.valueOf(AuthMethod.class, methodStr) and > SaslRpcServer.splitKerberosName(serverPrincipal) in > HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar > > Vaibhav Gumashta wrote: > Actually in case of a kerberos setting, those jars are already required > in the client's classpath > (https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster > - check "Running the JDBC Sample Code" section). And this jira is applicable > only to a kerberos setup.
Correct. But my point is we don't have to have that dependency on external Hadoop component for using kerberos in this way. > On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: > > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 > > <https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136> > > > > I think, instead of having to do identityContext equals > > "fromKerberosSubject", we can just use assumeSubject equals true/false, > > keeping the default to false. > > Shivaraju Gowda wrote: > Passing it as "assumeSubject" boolean url property was my first cut. > However I thought "assumeSubject" itself doesn't convey the message for its > intended use in and off by itself(need to refer to the documentation) and > making it key-value pair might give it some more meaning and there is also a > possibility of it being later used for other use cases (say hypothetically > the value can be fromKeyTab, fromTicketCache or fromLogin etc.). > > Shivaraju Gowda wrote: > Do you think it might better if we use auth property here, i.e > auth=fromKerberosSubject. Right now the only values for auth=noSasl. > > Vaibhav Gumashta wrote: > auth property is kind of meant to map to the hiveserver2 auth modes > [none, sasl, nosasl, kerberos]. The way it is used currently is not very > clean and there are some jiras out there to clean that up and make the > mapping more evident. OK, I look at this feature as an "authentication" mechanism. We are authenticating using the KerberosSubject passed by the user. - Shivaraju ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 ----------------------------------------------------------- On Feb. 25, 2014, 6:50 a.m., Kevin Minder wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/18464/ > ----------------------------------------------------------- > > (Updated Feb. 25, 2014, 6:50 a.m.) > > > Review request for hive, Kevin Minder and Vaibhav Gumashta. > > > Bugs: HIVE-6486 > https://issues.apache.org/jira/browse/HIVE-6486 > > > Repository: hive-git > > > Description > ------- > > Support secure Subject.doAs() in HiveServer2 JDBC client > > > Diffs > ----- > > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java > 379dafb > > service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java > PRE-CREATION > > Diff: https://reviews.apache.org/r/18464/diff/ > > > Testing > ------- > > Manual testing > > > Thanks, > > Kevin Minder > >
