[
https://issues.apache.org/jira/browse/HIVE-13952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Trystan Leftwich updated HIVE-13952:
------------------------------------
Attachment: HIVE-13952.patch
> Add the ability to specify the AuthorizationId to Delegate to a user when
> running in Kerberos Mode.
> ---------------------------------------------------------------------------------------------------
>
> Key: HIVE-13952
> URL: https://issues.apache.org/jira/browse/HIVE-13952
> Project: Hive
> Issue Type: Improvement
> Reporter: Trystan Leftwich
> Priority: Minor
> Attachments: HIVE-13952.patch
>
>
> The improvement here is that the when you are using the AuthorizationID to
> Delegate to a user, the current SaslGssCallbackHandler will error out because
> the AuthorizationID and AuthenticationID wont match. Usually the
> AuthorizationID is null and the handshake sets it to equal AuthenticationID
> but if you've already pre-set it the Handshake will pass that to the
> CallBackHandler which will cause the error.
> The use case for this change is as follows:
> Setting the AuthorizationID when connecting via JDBC is a form of
> impersonation, This is usually because you have a service in front of Hive
> delegating to hive via JDBC and using the AuthorizationID to delegate rather
> than proxy user. This coincides with using Active Directory as your
> Kerberos Back end and wanting to use their Delegation/Constrained Delegation
> Feature.
> This is not uncommon, Both
> [Zookeeper|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java#L120]
> and [Apache
> Storm|https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java#L86]
> do something similar.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
