Ankit Kailaswar created LENS-1506:
-------------------------------------

             Summary: Kerberos authentication in lens
                 Key: LENS-1506
                 URL: https://issues.apache.org/jira/browse/LENS-1506
             Project: Apache Lens
          Issue Type: Improvement
          Components: client, driver-hive, python-client, server
            Reporter: Ankit Kailaswar


Current Lens implementation is broken when we try to enable kerberos 
authentication in lens as mentioned at 
[https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in 
following ways,
1. openSession REST API fails to create new session for user. Currently it 
supports only passwd types of authentication.

2. If the underlying hive driver is running with kerberos authentication then 
driver initialization flow to obtain hive transport for hive driver in lens 
errors out. Hive server accepts only sasl messages but lens continues using 
PLAINSASL.

3. If hadoop cluster has kerberos authentication enabled then all hdfs calls 
(persisting services, all hdfs path in conf etc) fail.
4. Lens as if now doesnt supports refreshing KDC token before it expires.

Changes required in lens to fully support kerberose authentication are as 
follows,
 # lens's hive driver must use SASL for all communication in to kerberozied 
hive. Current thrift client for hive doesn't support this functionality.
 # Lens must refresh KDC ticket before it expires.
 # All clients must be authenticated with kerberose authentication before 
session creation.
 # In kerberos mode all hive driver query should be executed with single 
cluster user as "lens".



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to