[
https://issues.apache.org/jira/browse/KNOX-434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14154571#comment-14154571
]
LINTE commented on KNOX-434:
----------------------------
Yes, I used hive 0.13.1 compile with patch HIVE-6799 in order to activate
proxyuser check for knox/knoxserver@REALM, I work with remote metastore that
use mysql backend.
Unfortunatly, the Hive http mode doesn't work with the doAs option set to true
if you have a remote metastore secured with sasl ... that is not convenient at
all talking about security.
1/ hive.server2.authentication ==> KERBEROS (first response from knox will be
401 and ask knox to send négociate authentication header)
2/ hive.server2.transport.mode ==> http (activate http transport mode)
3/ hive.server2.enable.doAs ==> false (if you have remote metastore, with
embedded metastore you can keep it to true)
4/ hive.metastore.sasl.enabled ==> true (both on metastore and hiveserver2)
> Access secured Hive from Knox include
> -------------------------------------
>
> Key: KNOX-434
> URL: https://issues.apache.org/jira/browse/KNOX-434
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.4.0
> Environment: Centos 6.5
> Reporter: LINTE
>
> Knox send the following paquet to hive :
> POST /cliservice?doAs=authenticateduserhtrougthknox HTTP/1.1
> Without any Cookie or HTTP "Autorization : Negociate : " header for proxyuser
> authentication and "doAs" user check.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
