Eric Yang created HIVE-17187:
--------------------------------
Summary: WebHCat SPNEGO support is incompleted
Key: HIVE-17187
URL: https://issues.apache.org/jira/browse/HIVE-17187
Project: Hive
Issue Type: Bug
Components: WebHCat
Affects Versions: 1.2.1
Reporter: Eric Yang
[Some online
document|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/spnego_setup_for_webhcat.html]
describes how to setup WebHCat with SPNEGO support. However, there could be
multiple services use SPNEGO on the same host. For example, HBase REST API can
also setup to use HTTP principal for SPNEGO support. When HTTP principal is
shared among other services, Hadoop proxy user settings can not identify the
origin of doAs call with HTTP principal, is invoked by HBase REST API or
WebHCat. Ideally, WebHCat should keep track of its own service principal
independent of SPNEGO principal to ensure that SPNEGO principal is only given
authentication access. SPNEGO principal should not be used in proxy user
setting to grant authorization access.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
