[
https://issues.apache.org/jira/browse/HIVE-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13926072#comment-13926072
]
Lefty Leverenz commented on HIVE-6486:
--------------------------------------
Okay, thanks for the doc debate. I'll put this in a new subsection under JDBC
Client Setup for a Secure Cluster:
[HiveServer2 Clients
|https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients]
* Beeline
* JDBC
** Connection URL for Remote or Embedded Mode
** Using JDBC
** JDBC Data Types
** JDBC Client Setup for a Secure Cluster
*** _Using Kerberos with a Pre-Authenticated Subject_ (subject to change)
* Python Client
And I'll add something about middleware (based on your comments & the jira
description) then once it's in place you can both take a look, tinker with the
section name and text, add material, move things around -- whatever it takes to
improve the doc.
Should the Admin doc also link to this? For example:
* [Setting Up HiveServer2: Authentication/Security Configuration
|https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Authentication/SecurityConfiguration]
** Configuration
** Impersonation
** Integrity/Confidentiality Protection
** _Passing Kerberos Subject Through the Middleware Server_ (brief statement
with links to doc & jiras)
> Support secure Subject.doAs() in HiveServer2 JDBC client.
> ---------------------------------------------------------
>
> Key: HIVE-6486
> URL: https://issues.apache.org/jira/browse/HIVE-6486
> Project: Hive
> Issue Type: Improvement
> Components: Authentication, HiveServer2, JDBC
> Affects Versions: 0.11.0, 0.12.0
> Reporter: Shivaraju Gowda
> Assignee: Shivaraju Gowda
> Fix For: 0.13.0
>
> Attachments: HIVE-6486.1.patch, HIVE-6486.2.patch, HIVE-6486.3.patch,
> Hive_011_Support-Subject_doAS.patch, TestHive_SujectDoAs.java
>
>
> HIVE-5155 addresses the problem of kerberos authentication in multi-user
> middleware server using proxy user. In this mode the principal used by the
> middle ware server has privileges to impersonate selected users in
> Hive/Hadoop.
> This enhancement is to support Subject.doAs() authentication in Hive JDBC
> layer so that the end users Kerberos Subject is passed through in the middle
> ware server. With this improvement there won't be any additional setup in the
> server to grant proxy privileges to some users and there won't be need to
> specify a proxy user in the JDBC client. This version should also be more
> secure since it won't require principals with the privileges to impersonate
> other users in Hive/Hadoop setup.
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
