[
https://issues.apache.org/jira/browse/KNOX-594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15121797#comment-15121797
]
Sumit Gupta commented on KNOX-594:
----------------------------------
The fix stops the hive.server2.auth cookie from going back to the client and
manages the cookie the same way we manage 'hadoop.auth'.
The two scenarios where this comes into play are :
1. Kerberos is on and SSL to HS2 is off (i.e. http connection from Knox to HS2)
2. Kerberos is on and SSL to HS2 is enabled (https connection from Knox to HS2)
For scenario 1. to work correctly, the following additional setting must be
made to hiveserver2-site:
hive.server2.thrift.http.cookie.is.secure = false
If this is not done, by default hiveserver2 sends back a cookie marked secure
and Knox will not play that cookie back to HS2 over http. This results in Knox
re-authenticating for every interaction with HS2.
> Cache hive.server2.auth cookie in AppCookieManager
> --------------------------------------------------
>
> Key: KNOX-594
> URL: https://issues.apache.org/jira/browse/KNOX-594
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Larry McCay
> Assignee: Sumit Gupta
> Fix For: 0.8.0
>
>
> We need to cache the hadoop auth cookie for Hive in AppCookieManager. Since
> they use a nonstandard cookie name it isn't currently being cached in Knox.
> Cookie: JSESSIONID=rhuzi3sheys11ouyr5984sidw;
> hive.server2.auth=cu=knox&rn=5512136758854373928&s=3CJdDc8I8RIC3/w9x8B/YuCDnR0=[\r][\n]"
> The above example shows the hive.server2.auth cookie.
> We need to ensure that this cookie is managed by Knox and not sent back to
> the client.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
