[ 
https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ankit Kailaswar reassigned LENS-1506:
-------------------------------------

    Assignee: Ankit Kailaswar

> Kerberos authentication in lens
> -------------------------------
>
>                 Key: LENS-1506
>                 URL: https://issues.apache.org/jira/browse/LENS-1506
>             Project: Apache Lens
>          Issue Type: Improvement
>          Components: client, driver-hive, python-client, server
>            Reporter: Ankit Kailaswar
>            Assignee: Ankit Kailaswar
>            Priority: Major
>
> Current Lens implementation is broken when we try to enable kerberos 
> authentication in lens as mentioned at 
> [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in 
> following ways,
> 1. openSession REST API fails to create new session for user. Currently it 
> supports only passwd types of authentication.
> 2. If the underlying hive driver is running with kerberos authentication then 
> driver initialization flow to obtain hive transport for hive driver in lens 
> errors out. Hive server accepts only sasl messages but lens continues using 
> PLAINSASL.
> 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls 
> (persisting services, all hdfs path in conf etc) fail.
> 4. Lens as if now doesnt supports refreshing KDC token before it expires.
> Changes required in lens to fully support kerberose authentication are as 
> follows,
>  # lens's hive driver must use SASL for all communication in to kerberozied 
> hive. Current thrift client for hive doesn't support this functionality.
>  # Lens must refresh KDC ticket before it expires.
>  # All clients must be authenticated with kerberose authentication before 
> session creation.
>  # In kerberos mode all hive driver query should be executed with single 
> cluster user as "lens".



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to