Re: Review Request 19599: HiveServer2 secure thrift/http authentication needs to support SPNego

dilli dorai Thu, 27 Mar 2014 10:52:43 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/19599/
-----------------------------------------------------------


(Updated March 27, 2014, 5:52 p.m.)


Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta.


Changes
-------

Patch that is rebased with recent repo.


Bugs: HIVE-6697
    https://issues.apache.org/jira/browse/HIVE-6697


Repository: hive-git


Description
-------

See JIra for description
https://issues.apache.org/jira/browse/HIVE-6697


Diffs (updated)
-----

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 551639f 
  conf/hive-default.xml.template 3c3df43 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 86d2009 
  service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java 
f4cbe91 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 
255a165 
  shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java 
80247ec 
  
shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java
 d4cddda 
  shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java 
90c5602 

Diff: https://reviews.apache.org/r/19599/diff/


Testing
-------

## Verification of enhancement with Beeline/JDBC 

### Verified the following calls succeeded getting connection, and listig 
tables, 
when valid spnego.principal and spengo.keytab are specified in hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache


!connect 
jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 


!connect 
jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call succeeded getting connection, and listig 
tables, 
even if valid spnego.principal or valid spengo.keytab is not  specified in 
hive-site.xml,
as long as valid hive server2 kerberos principal and keytab are specified in 
hive-site.xml,
and the client has KINITed and has a valid kerberos ticket in cache

!connect 
jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

### Verified the following call failed  getting connection, 
when valid  spnego.principal or valid spengo.keytab is not specified in 
hive-site.xml

!connect 
jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice
  dummy dummy-pass org.apache.hive.jdbc.HiveDriver 

## Verification of enhancement with Apache Knox

Apache Knox was able to authenticate to hive server 2 as SPNego client using 
Apache HttpClient,
and list tables, when correct spnego.principal and spengo.keytab are specified 
in hive-site.xml

Apache Knox was not able to authenticate to hive server 2 as SPNego client 
using Apache HttpClient,
when valid spnego.principal or spengo.keytab is not specified in hive-site.xml

## Verification of enhancement with curl

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has KINITed and has a valid kerberos ticket in cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

SPNego authentication succeeded and got a HTTP status code 500,
since we did not end Thrift body content

### when valid spnego.principal and spengo.keytab are specified in hive-site.xml
and the client has not KINITed and does not have a  valid kerberos ticket in 
cache

curl -i --negotiate -u : http://hdps.example.com:10001/cliservice

url -i --negotiate -u : http://hdps.example.com:10001/cliservice
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
Content-Type: application/x-thrift;charset=ISO-8859-1
Content-Length: 69
Server: Jetty(7.6.0.v20120127)

Authentication Error: java.lang.reflect.UndeclaredThrowableException


Thanks,

dilli dorai

Re: Review Request 19599: HiveServer2 secure thrift/http authentication needs to support SPNego

Reply via email to