[
https://issues.apache.org/jira/browse/HIVE-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13915453#comment-13915453
]
Shivaraju Gowda commented on HIVE-6486:
---------------------------------------
> you mean cases where the client's Subject is already set up before issuing
> the JDBC calls - right?
Correct, just like in the attached test program.
Looking at the static initializations of configurations in the
UserGroupInformation code, I think the kerberos authentication mechanism in
haddop-core.jar is designed for Hadoop components which typically have one
principal and the login is done statically (using keyTab, ticket cache or kinit
). This is fine if the user has control of the setup and there is only one
user. However, it doesn't fit well if you are using it in Hive JDBC driver on a
multi-user system with dynamic logins.
This patch addresses that deficit without duplicating the kerberos
authentication mechanism code in Hive. It does that by changing the Hive JDBC
driver to make use of a passed in kerberos authentication. The onus of the
authentication is left to the user giving them flexibility to choose however
they want to authenticate.
Since there is no Kerberos related authentication code, I felt that the changes
can fit in the JDBC side. The main change is to open the client transport in
the current context's Subject.doAs().
> Support secure Subject.doAs() in HiveServer2 JDBC client.
> ---------------------------------------------------------
>
> Key: HIVE-6486
> URL: https://issues.apache.org/jira/browse/HIVE-6486
> Project: Hive
> Issue Type: Improvement
> Components: JDBC
> Affects Versions: 0.11.0, 0.12.0
> Reporter: Shivaraju Gowda
> Attachments: Hive_011_Support-Subject_doAS.patch,
> TestHive_SujectDoAs.java
>
>
> HIVE-5155 addresses the problem of kerberos authentication in multi-user
> middleware server using proxy user. In this mode the principal used by the
> middle ware server has privileges to impersonate selected users in
> Hive/Hadoop.
> This enhancement is to support Subject.doAs() authentication in Hive JDBC
> layer so that the end users Kerberos Subject is passed through in the middle
> ware server. With this improvement there won't be any additional setup in the
> server to grant proxy privileges to some users and there won't be need to
> specify a proxy user in the JDBC client. This version should also be more
> secure since it won't require principals with the privileges to impersonate
> other users in Hive/Hadoop setup.
>
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
