[
https://issues.apache.org/jira/browse/HIVE-5155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prasad Mujumdar updated HIVE-5155:
----------------------------------
Attachment: (was: ProxyAuth.jar)
> Support secure proxy user access to HiveServer2
> -----------------------------------------------
>
> Key: HIVE-5155
> URL: https://issues.apache.org/jira/browse/HIVE-5155
> Project: Hive
> Issue Type: Improvement
> Components: Authentication, HiveServer2, JDBC
> Affects Versions: 0.12.0
> Reporter: Prasad Mujumdar
> Assignee: Prasad Mujumdar
> Attachments: HIVE-5155-1-nothrift.patch, HIVE-5155-noThrift.2.patch,
> HIVE-5155-noThrift.4.patch, HIVE-5155-noThrift.5.patch, HIVE-5155.1.patch,
> HIVE-5155.2.patch, HIVE-5155.3.patch
>
>
> The HiveServer2 can authenticate a client using via Kerberos and impersonate
> the connecting user with underlying secure hadoop. This becomes a gateway for
> a remote client to access secure hadoop cluster. Now this works fine for when
> the client obtains Kerberos ticket and directly connects to HiveServer2.
> There's another big use case for middleware tools where the end user wants to
> access Hive via another server. For example Oozie action or Hue submitting
> queries or a BI tool server accessing to HiveServer2. In these cases, the
> third party server doesn't have end user's Kerberos credentials and hence it
> can't submit queries to HiveServer2 on behalf of the end user.
> This ticket is for enabling proxy access to HiveServer2 for third party tools
> on behalf of end users. There are two parts of the solution proposed in this
> ticket:
> 1) Delegation token based connection for Oozie (OOZIE-1457)
> This is the common mechanism for Hadoop ecosystem components. Hive Remote
> Metastore and HCatalog already support this. This is suitable for tool like
> Oozie that submits the MR jobs as actions on behalf of its client. Oozie
> already uses similar mechanism for Metastore/HCatalog access.
> 2) Direct proxy access for privileged hadoop users
> The delegation token implementation can be a challenge for non-hadoop
> (especially non-java) components. This second part enables a privileged user
> to directly specify an alternate session user during the connection. If the
> connecting user has hadoop level privilege to impersonate the requested
> userid, then HiveServer2 will run the session as that requested user. For
> example, user Hue is allowed to impersonate user Bob (via core-site.xml proxy
> user configuration). Then user Hue can connect to HiveServer2 and specify Bob
> as session user via a session property. HiveServer2 will verify Hue's proxy
> user privilege and then impersonate user Bob instead of Hue. This will enable
> any third party tool to impersonate alternate userid without having to
> implement delegation token connection.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
