[
https://issues.apache.org/jira/browse/HIVE-4707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13685031#comment-13685031
]
Prasad Mujumdar commented on HIVE-4707:
---------------------------------------
[~ashutoshc] Thanks for the feedback.
yes, the mangled name (eg foo@bar) works as far as the authentication is
concerned. In that case, HiveServer sees the user name as foo@bar instead of
foo. That makes supporting things like bridging LDAP authentication with
kerberos impersonation hard. This is a pretty common usecase to have
hiveserver2 as a gateway to connect secure hadoop using a non-kerberos
authentication mechanism. Due to this username format, you can't make it work
with Active Directory.
Besides it a minor usability issue ...
> Support configurable domain name for HiveServer2 LDAP authentication using
> Active Directory
> -------------------------------------------------------------------------------------------
>
> Key: HIVE-4707
> URL: https://issues.apache.org/jira/browse/HIVE-4707
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 0.11.0
> Reporter: Prasad Mujumdar
> Assignee: Prasad Mujumdar
> Fix For: 0.12.0
>
> Attachments: HIVE-4707-1.patch
>
>
> LDAP providers like Active Directory use a fully qualified user name in
> user@domain format. For HiveServer2 LDAP auth can be used with active
> directory by passing the userid in that format. This causes hive
> authentication module to retrun the username in that mangled format. This
> prohibits LDAP users to be impersonated over secure hadoop or reported
> correctly in audit etc.
> HiveServer2 should support a configurable LDAP domain that is appended to the
> user name.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
