Ankit Kailaswar updated LENS-1506:
    Attachment: design3.png

> Kerberos authentication in lens
> -------------------------------
>                 Key: LENS-1506
>                 URL: https://issues.apache.org/jira/browse/LENS-1506
>             Project: Apache Lens
>          Issue Type: Improvement
>          Components: client, driver-hive, python-client, server
>            Reporter: Ankit Kailaswar
>            Assignee: Ankit Kailaswar
>            Priority: Major
>         Attachments: design3.png
> Current Lens implementation is broken when we try to enable kerberos 
> authentication in lens as mentioned at 
> [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in 
> following ways,
> 1. openSession REST API fails to create new session for user. Currently it 
> supports only passwd types of authentication.
> 2. If the underlying hive driver is running with kerberos authentication then 
> driver initialization flow to obtain hive transport for hive driver in lens 
> errors out. Hive server accepts only sasl messages but lens continues using 
> 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls 
> (persisting services, all hdfs path in conf etc) fail.
> 4. Lens as if now doesnt supports refreshing KDC token before it expires.
> Changes required in lens to fully support kerberose authentication are as 
> follows,
>  # lens's hive driver must use SASL for all communication in to kerberozied 
> hive. Current thrift client for hive doesn't support this functionality.
>  # Lens must refresh KDC ticket before it expires.
>  # All clients must be authenticated with kerberose authentication before 
> session creation.
>  # In kerberos mode all hive driver query should be executed with single 
> cluster user as "lens".

This message was sent by Atlassian JIRA

Reply via email to