[jira] [Commented] (HIVE-10115) HS2 running on a Kerberized cluster should offer Kerberos(GSSAPI) and Delegation token(DIGEST) when alternate authentication is enabled

Fri, 05 Feb 2016 17:51:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-10115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135430#comment-15135430
 ] 

Lefty Leverenz commented on HIVE-10115:
---------------------------------------

Does this need to be documented in the wiki?  If so, please add a TODOC1.3 
label.

Perhaps it belongs in one of these sections:

* [HiveServer2 Clients -- JDBC Client Setup for a Secure Cluster | 
https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster]
* [HiveServer2 Clients -- Advanced Features for Integration with Other Tools | 
https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-AdvancedFeaturesforIntegrationwithOtherTools]
* [Setting Up HiveServer2 -- Authentication/Security Configuration | 
https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Authentication/SecurityConfiguration]

> HS2 running on a Kerberized cluster should offer Kerberos(GSSAPI) and 
> Delegation token(DIGEST) when alternate authentication is enabled
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-10115
>                 URL: https://issues.apache.org/jira/browse/HIVE-10115
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: 1.1.0
>            Reporter: Mubashir Kazia
>            Assignee: Mubashir Kazia
>              Labels: patch
>             Fix For: 1.3.0, 2.1.0
>
>         Attachments: HIVE-10115.0.patch, HIVE-10115.2.patch
>
>
> In a Kerberized cluster when alternate authentication is enabled on HS2, it 
> should also accept Kerberos Authentication. The reason this is important is 
> because when we enable LDAP authentication HS2 stops accepting delegation 
> token authentication. So we are forced to enter username passwords in the 
> oozie configuration.
> The whole idea of SASL is that multiple authentication mechanism can be 
> offered. If we disable Kerberos(GSSAPI) and delegation token (DIGEST) 
> authentication when we enable LDAP authentication, this defeats SASL purpose.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to