[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249453&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249453
 ]

ASF GitHub Bot logged work on HIVE-21783:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 28/May/19 16:18
            Start Date: 28/May/19 16:18
    Worklog Time Spent: 10m 
      Work Description: odraese commented on pull request #648: HIVE-21783: 
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288188546
 
 

 ##########
 File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
 ##########
 @@ -75,6 +89,70 @@ private PlainSaslHelper() {
     throw new UnsupportedOperationException("Can't initialize class");
   }
 
+  public static final class DualSaslTransportFactory extends TTransportFactory 
{
+    TTransportFactory otherFactory;
+    TTransportFactory noAuthFactory;
+    String hiveHost;
+
+    public DualSaslTransportFactory(TTransportFactory otherFactory, String 
hiveHost)
+            throws LoginException {
+      this.noAuthFactory = 
getPlainTransportFactory(AuthMethods.NONE.toString());
+      this.otherFactory = otherFactory;
+      this.hiveHost = hiveHost;
+    }
+
+    // Return true if the IP address is from the same domain as the server.
+    private boolean isSameDomainConnection(InetAddress remoteInetAddress) {
+      String[] hiveHostSplit = null;
+      if (hiveHost != null) {
+        hiveHostSplit = hiveHost.split("\\.");
+      }
+
+      String clientHostName = remoteInetAddress.getCanonicalHostName();
+      String[] clientHostSplit = null;
+      if (clientHostName != null) {
+        clientHostSplit = clientHostName.split("\\.");
+      }
+
+      // TODO: the callers should also pass the server address or obtain in by 
using some other
+      //  method. Then check whether the connection's remote address is from 
the same domain as
+      //  the server. For now, for the sake of testing, return true. We need 
to understand what
+      //  exactly it means to have connection from the same domain.
+      // For now, two hosts are in the same domain if the last two parts in 
their hostname are same.
+      if (hiveHostSplit.length >= 2 && clientHostSplit.length >= 2) {
 
 Review comment:
   We should check all parts of the hiveHostSplit. So, if hiveHostSplit 
(provided via config) is something like x.example.com, we should ensure that 
(only) everything below x.example.com (i.e. das.x.example.com) qualifies 
instead of checking just the top two levels (which are probably always cloudera 
and com at the final DWX deployment).
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 249453)
    Time Spent: 0.5h  (was: 20m)

> Avoid authentication for connection from the same domain
> --------------------------------------------------------
>
>                 Key: HIVE-21783
>                 URL: https://issues.apache.org/jira/browse/HIVE-21783
>             Project: Hive
>          Issue Type: New Feature
>          Components: HiveServer2
>            Reporter: Ashutosh Bapat
>            Assignee: Ashutosh Bapat
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user. 
> This is similar to NONE authentication but only for the connection from the 
> same domain.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)