> On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: > > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line > > 68 > > <https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68> > > > > Can you push this to > > HadoopThriftAuthBridge.Client#createClientTransport just like the way the > > else portion does instead of the createSubjectAssumedTransport method? From > > within the method you can return the TSubjectAssumingTransport. > > Shivaraju Gowda wrote: > Again this was in my first cut. I was passing the value as "tokenStrForm" > parameter to keep the method signature same. I later moved away from it since > it was not elegant and changing the method signature involved broader > implications. I felt this functionality didn't belong in Hadoop shim layer. > Having the change in there also meant one more jar getting > affected(hive-exec.jar) > > > Shivaraju Gowda wrote: > Another issue was the dependency on hadoop.core.jar. The calls > AuthMethod.valueOf(AuthMethod.class, methodStr) and > SaslRpcServer.splitKerberosName(serverPrincipal) in > HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar
Actually in case of a kerberos setting, those jars are already required in the client's classpath (https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster - check "Running the JDBC Sample Code" section). And this jira is applicable only to a kerberos setup. > On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: > > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 > > <https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136> > > > > I think, instead of having to do identityContext equals > > "fromKerberosSubject", we can just use assumeSubject equals true/false, > > keeping the default to false. > > Shivaraju Gowda wrote: > Passing it as "assumeSubject" boolean url property was my first cut. > However I thought "assumeSubject" itself doesn't convey the message for its > intended use in and off by itself(need to refer to the documentation) and > making it key-value pair might give it some more meaning and there is also a > possibility of it being later used for other use cases (say hypothetically > the value can be fromKeyTab, fromTicketCache or fromLogin etc.). > > Shivaraju Gowda wrote: > Do you think it might better if we use auth property here, i.e > auth=fromKerberosSubject. Right now the only values for auth=noSasl. auth property is kind of meant to map to the hiveserver2 auth modes [none, sasl, nosasl, kerberos]. The way it is used currently is not very clean and there are some jiras out there to clean that up and make the mapping more evident. - Vaibhav ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 ----------------------------------------------------------- On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/18464/ > ----------------------------------------------------------- > > (Updated Feb. 25, 2014, 2:50 p.m.) > > > Review request for hive, Kevin Minder and Vaibhav Gumashta. > > > Bugs: HIVE-6486 > https://issues.apache.org/jira/browse/HIVE-6486 > > > Repository: hive-git > > > Description > ------- > > Support secure Subject.doAs() in HiveServer2 JDBC client > > > Diffs > ----- > > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 > service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java > 379dafb > > service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java > PRE-CREATION > > Diff: https://reviews.apache.org/r/18464/diff/ > > > Testing > ------- > > Manual testing > > > Thanks, > > Kevin Minder > >
