Review Request 28255: HIVE-8916 : Handle user@domain username under LDAP authentication

Wed, 19 Nov 2014 12:50:01 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28255/
-----------------------------------------------------------

Review request for hive.


Bugs: HIVE-8916
    https://issues.apache.org/jira/browse/HIVE-8916


Repository: hive-git


Description
-------

HIVE-8916 : Handle user@domain username under LDAP authentication

If LDAP is configured with multiple domains for authentication, users can be in 
different domains.

Currently, LdapAuthenticationProviderImpl blindly appends the domain configured 
"hive.server2.authentication.ldap.Domain" to the username, which limits user to 
that domain. However, under multi-domain authentication, the username may 
already include the domain (ex: u...@domain.foo.com). We should not append a 
domain if one is already present.

Also, if username already includes the domain, rest of Hive and authorization 
providers still expects the "short name" ("user" and not "u...@domain.foo.com") 
for looking up privilege rules, etc. As such, any domain info in the username 
should be stripped off.


Diffs
-----

  service/src/java/org/apache/hive/service/ServiceUtils.java PRE-CREATION 
  
service/src/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
 d075761d079f8a18d7d317483783fe3b801e00d5 
  service/src/java/org/apache/hive/service/cli/thrift/ThriftCLIService.java 
3a8ae70d8bd31c9958ea6ae00a2d01c315c80615 

Diff: https://reviews.apache.org/r/28255/diff/


Testing
-------

Configured HS2 for LDAP authentication:

<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>    
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://foo.ldap.server.com</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.Domain</name>
  <value>foo.ldap.domain.com</value>
</property>

Ran beeline with user names with and without ldap domain, in both cases
authentication works. Before the change, authentication failed if
domain was present in username:

beeline -u jdbc:hive2://localhost:10000 -n u...@foo.ldap.domain.com -p 
TestPassword --debug

beeline -u jdbc:hive2://localhost:10000 -n user -p TestPassword --debug


Thanks,

Mohit Sabharwal

Reply via email to