Ankit Kailaswar updated LENS-1506:
Attachment: (was: design3.png)
> Kerberos authentication in lens
> Key: LENS-1506
> URL: https://issues.apache.org/jira/browse/LENS-1506
> Project: Apache Lens
> Issue Type: Improvement
> Components: client, driver-hive, python-client, server
> Reporter: Ankit Kailaswar
> Assignee: Ankit Kailaswar
> Priority: Major
> Current Lens implementation is broken when we try to enable kerberos
> authentication in lens as mentioned at
> [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in
> following ways,
> 1. openSession REST API fails to create new session for user. Currently it
> supports only passwd types of authentication.
> 2. If the underlying hive driver is running with kerberos authentication then
> driver initialization flow to obtain hive transport for hive driver in lens
> errors out. Hive server accepts only sasl messages but lens continues using
> 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls
> (persisting services, all hdfs path in conf etc) fail.
> 4. Lens as if now doesnt supports refreshing KDC token before it expires.
> Changes required in lens to fully support kerberose authentication are as
> # lens's hive driver must use SASL for all communication in to kerberozied
> hive. Current thrift client for hive doesn't support this functionality.
> # Lens must refresh KDC ticket before it expires.
> # All clients must be authenticated with kerberose authentication before
> session creation.
> # In kerberos mode all hive driver query should be executed with single
> cluster user as "lens".
This message was sent by Atlassian JIRA