> On Nov. 20, 2014, 6:43 p.m., Prasad Mujumdar wrote: > > Looks fine to me. > > > > I would suggest creating a followup ticket to move the username format > > detection and replacement menthods to PasswdAuthenticationProvider and > > PlainServerCallbackHandler. This way the user name format can be managed by > > individual authentication handlers rather than high level HS2 RPC processor.
Thanks!, filed follow up JIRA HIVE-8928 to explore Prasad's and Szehon's suggestions. - Mohit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28255/#review62378 ----------------------------------------------------------- On Nov. 19, 2014, 8:49 p.m., Mohit Sabharwal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/28255/ > ----------------------------------------------------------- > > (Updated Nov. 19, 2014, 8:49 p.m.) > > > Review request for hive. > > > Bugs: HIVE-8916 > https://issues.apache.org/jira/browse/HIVE-8916 > > > Repository: hive-git > > > Description > ------- > > HIVE-8916 : Handle user@domain username under LDAP authentication > > If LDAP is configured with multiple domains for authentication, users can be > in different domains. > > Currently, LdapAuthenticationProviderImpl blindly appends the domain > configured "hive.server2.authentication.ldap.Domain" to the username, which > limits user to that domain. However, under multi-domain authentication, the > username may already include the domain (ex: u...@domain.foo.com). We should > not append a domain if one is already present. > > Also, if username already includes the domain, rest of Hive and authorization > providers still expects the "short name" ("user" and not > "u...@domain.foo.com") for looking up privilege rules, etc. As such, any > domain info in the username should be stripped off. > > > Diffs > ----- > > service/src/java/org/apache/hive/service/ServiceUtils.java PRE-CREATION > > service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java > d075761d079f8a18d7d317483783fe3b801e00d5 > service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java > 3a8ae70d8bd31c9958ea6ae00a2d01c315c80615 > > Diff: https://reviews.apache.org/r/28255/diff/ > > > Testing > ------- > > Configured HS2 for LDAP authentication: > > <property> > <name>hive.server2.authentication</name> > <value>LDAP</value> > </property> > <property> > <name>hive.server2.authentication.ldap.url</name> > <value>ldap://foo.ldap.server.com</value> > </property> > <property> > <name>hive.server2.authentication.ldap.Domain</name> > <value>foo.ldap.domain.com</value> > </property> > > Ran beeline with user names with and without ldap domain, in both cases > authentication works. Before the change, authentication failed if > domain was present in username: > > beeline -u jdbc:hive2://localhost:10000 -n u...@foo.ldap.domain.com -p > TestPassword --debug > > beeline -u jdbc:hive2://localhost:10000 -n user -p TestPassword --debug > > > Thanks, > > Mohit Sabharwal > >
