[
https://issues.apache.org/jira/browse/HIVE-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shivaraju Gowda updated HIVE-6486:
----------------------------------
Release Note:
Using Kerberos with Pre-Authenticated Subject:
In the current approach of using Kerberos you will need to have valid Kerberos
ticket in the ticket cache before connecting. This will entail static
login(using kinit, key tab or ticketcache) and restriction of one Kerberos user
per client. These restrictions will limit the usage in multi-user scenarios and
in scenarios where in the client wants to login programmatically to Kerberos
KDC. Using proxy users (see https://issues.apache.org/jira/browse/HIVE-5155 )
is one way to mitigate the problem of multi-user scenarios. The other way is to
use pre-authenticated subject(see
https://issues.apache.org/jira/browse/HIVE-6486 ). In this method, Hive JDBC
client uses a pre-authenticated Kerberos Subject to authenticate to
HiveServer2. To use pre-authenticated Subject you will need the following
changes.
+ Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars
(commons-configuration-1.6.jar and hadoop-core*.jar are not required).
+ Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in
addition to having the “principal" url property.
+ Open the connection in Subject.doAs()
The following code snippet illustrates the usage (refer to
https://issues.apache.org/jira/browse/HIVE-6486 for complete test case):
static Connection getConnection( Subject signedOnUserSubject ) throws
Exception{
Connection conn = (Connection)
Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>()
{
public Object run()
{
Connection con = null;
String JDBC_DB_URL =
"jdbc:hive2://HiveHost:10000/default;principal=hive/localhost.localdom...@example.com;auth=kerberos;kerberosAuthType=fromSubject";
try {
Class.forName(JDBC_DRIVER);
con =
DriverManager.getConnection(JDBC_DB_URL);
} catch (SQLException e) {
e.printStackTrace();
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
return con;
}
});
return conn;
}
> Support secure Subject.doAs() in HiveServer2 JDBC client.
> ---------------------------------------------------------
>
> Key: HIVE-6486
> URL: https://issues.apache.org/jira/browse/HIVE-6486
> Project: Hive
> Issue Type: Improvement
> Components: Authentication, HiveServer2, JDBC
> Affects Versions: 0.11.0, 0.12.0
> Reporter: Shivaraju Gowda
> Assignee: Shivaraju Gowda
> Fix For: 0.13.0
>
> Attachments: HIVE-6486.1.patch, HIVE-6486.2.patch, HIVE-6486.3.patch,
> Hive_011_Support-Subject_doAS.patch, TestHive_SujectDoAs.java
>
>
> HIVE-5155 addresses the problem of kerberos authentication in multi-user
> middleware server using proxy user. In this mode the principal used by the
> middle ware server has privileges to impersonate selected users in
> Hive/Hadoop.
> This enhancement is to support Subject.doAs() authentication in Hive JDBC
> layer so that the end users Kerberos Subject is passed through in the middle
> ware server. With this improvement there won't be any additional setup in the
> server to grant proxy privileges to some users and there won't be need to
> specify a proxy user in the JDBC client. This version should also be more
> secure since it won't require principals with the privileges to impersonate
> other users in Hive/Hadoop setup.
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
