Trystan Leftwich created HIVE-13952:
---------------------------------------
Summary: Add the ability to specify the AuthorizationId to
Delegate to a user when running in Kerberos Mode.
Key: HIVE-13952
URL: https://issues.apache.org/jira/browse/HIVE-13952
Project: Hive
Issue Type: Improvement
Reporter: Trystan Leftwich
Priority: Minor
The improvement here is that the when you are using the AuthorizationID to
Delegate to a user, the current SaslGssCallbackHandler will error out because
the AuthorizationID and AuthenticationID wont match. Usually the
AuthorizationID is null and the handshake sets it to equal AuthenticationID
but if you've already pre-set it the Handshake will pass that to the
CallBackHandler which will cause the error.
The use case for this change is as follows:
Setting the AuthorizationID when connecting via JDBC is a form of
impersonation, This is usually because you have a service in front of Hive
delegating to hive via JDBC and using the AuthorizationID to delegate rather
than proxy user. This coincides with using Active Directory as your
Kerberos Back end and wanting to use their Delegation/Constrained Delegation
Feature.
This is not uncommon, Both
[Zookeeper|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java#L120]
and [Apache
Storm|https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/ServerCallbackHandler.java#L86]
do something similar.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
