[
https://issues.apache.org/jira/browse/HIVE-7193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14589224#comment-14589224
]
Chaoyu Tang commented on HIVE-7193:
-----------------------------------
Thanks [~ngangam] for the patch. It looks good to me. Regarding to the concern
you had whether the AtnProvider should be changed to be implemented as a
singleton, I agree with you that you would not address it in this patch for
following reasons:
1. The existing code does not implement AtnProvider as a singleton. Making such
change might have some backward compatibility issue. For example, what if a
user has already implemented and used a CustomAuthenticationProvider which is
not for a singleton?
2. The patch only adds several additional read and processing of HiveConf
properties in LdapAuthenticationProviderImpl constructor. Compared to LDAP
authentication itself, its overhead should be trivial and it should not be a
performance bottleneck.
3. In case it turns out the performance is not desirable due to AtnProvider
instantiation, we might consider moving some static logic from constructor to a
static block to improve runtime performance. Or open a separate JIRA to
initiate the investigation to performance implementation (including singleton
etc). But this patch will mainly focuses on the LDAP enhancement.
4. As for your concern "dont know what the user-coded
CustomAuthenticationProvider could do", even if you change the
AuthenticationProviderFactory and allow it to be implemented as a singleton,
but like you said, we still have no control how he implements the singleton.
----
In addition, the enhancement including its new configuration properties should
be properly documented.
> Hive should support additional LDAP authentication parameters
> -------------------------------------------------------------
>
> Key: HIVE-7193
> URL: https://issues.apache.org/jira/browse/HIVE-7193
> Project: Hive
> Issue Type: Bug
> Affects Versions: 0.10.0
> Reporter: Mala Chikka Kempanna
> Assignee: Naveen Gangam
> Attachments: HIVE-7193.2.patch, HIVE-7193.3.patch, HIVE-7193.5.patch,
> HIVE-7193.patch, LDAPAuthentication_Design_Doc.docx,
> LDAPAuthentication_Design_Doc_V2.docx
>
>
> Currently hive has only following authenticator parameters for LDAP
> authentication for hiveserver2:
> {code:xml}
> <property>
> <name>hive.server2.authentication</name>
> <value>LDAP</value>
> </property>
> <property>
> <name>hive.server2.authentication.ldap.url</name>
> <value>ldap://our_ldap_address</value>
> </property>
> {code}
> We need to include other LDAP properties as part of hive-LDAP authentication
> like below:
> {noformat}
> a group search base -> dc=domain,dc=com
> a group search filter -> member={0}
> a user search base -> dc=domain,dc=com
> a user search filter -> sAMAAccountName={0}
> a list of valid user groups -> group1,group2,group3
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
