[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252944&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252944
]
ASF GitHub Bot logged work on HIVE-21783:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Jun/19 06:41
Start Date: 03/Jun/19 06:41
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289704206
##########
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
return;
}
}
- // If the cookie based authentication is already enabled, parse the
- // request and validate the request cookies.
- if (isCookieAuthEnabled) {
- clientUserName = validateCookie(request);
- requireNewCookie = (clientUserName == null);
- if (requireNewCookie) {
- LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
- }
- }
- // If the cookie based authentication is not enabled or the request does
- // not have a valid cookie, use the kerberos or password based
authentication
- // depending on the server setup.
- if (clientUserName == null) {
- // For a kerberos setup
- if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
- clientUserName = doTokenAuth(request, response);
- } else {
- clientUserName = doKerberosAuth(request);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+ // Skip authentication if the connection is from the trusted domain
+ if (!trustedDomain.isEmpty() &&
+ PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(),
trustedDomain)) {
+ LOG.info("No authentication performed because the connecting host " +
request.getRemoteHost() +
Review comment:
Thanks for the detailed explanation.
Here's slight explanation for your "We can only support this for
non-kerberos auth mode (password based)".
We can support this independent of the authentication method configured for
the HiveServer2 to which the client is connecting. But the connection from a
trusted domain should connect as if it's connecting with NOSASL in HTTP mode
and NONE authentication in binary mode.
This means that when the HS2 is configured to use kerberos, there is no way
that a client can connects from a trusted domain and provides kerberos
credentials. It *has to* provide credentials as if it's a password based
authentication (but password will not be used if provided). Any connection from
non-trusted domain should provide kerberos credentials. I think this slight
asymmetry is fine for our use case.
When HS2 is configured to use password based authentication, there's no
difference between a connection from a trusted domain and a connection from
non-trusted domain.
Rest of your explanation makes sense. I have changed the code accordingly.
Please let me know if we need any changes to the config description.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 252944)
Time Spent: 2h 50m (was: 2h 40m)
> Avoid authentication for connection from the same domain
> --------------------------------------------------------
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
> Reporter: Ashutosh Bapat
> Assignee: Ashutosh Bapat
> Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
