[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252014&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252014
]
ASF GitHub Bot logged work on HIVE-21783:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 31/May/19 19:48
Start Date: 31/May/19 19:48
Worklog Time Spent: 10m
Work Description: prasanthj commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289528707
##########
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
return;
}
}
- // If the cookie based authentication is already enabled, parse the
- // request and validate the request cookies.
- if (isCookieAuthEnabled) {
- clientUserName = validateCookie(request);
- requireNewCookie = (clientUserName == null);
- if (requireNewCookie) {
- LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
- }
- }
- // If the cookie based authentication is not enabled or the request does
- // not have a valid cookie, use the kerberos or password based
authentication
- // depending on the server setup.
- if (clientUserName == null) {
- // For a kerberos setup
- if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
- clientUserName = doTokenAuth(request, response);
- } else {
- clientUserName = doKerberosAuth(request);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+ // Skip authentication if the connection is from the trusted domain
+ if (!trustedDomain.isEmpty() &&
+ PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(),
trustedDomain)) {
+ LOG.info("No authentication performed because the connecting host " +
request.getRemoteHost() +
Review comment:
We can only support this for non-kerberos auth mode (password based) and
look for "Authorization: Basic" header. Extract the username and discard the
password. If cookie comes along with the request, we can use the username from
the cookie.
My understanding here is that, a new request comes in with "Authorization:
Basic" header, we trust the domain, extract the username from auth header,
generate a cookie and respond with cookie. If a new request comes back with the
cookie, validate the cookie, extract the user name and we are done.
We should set the expectation from clients here in the config description
(whether clients should send basic auth header and that password will be used
if not from trusted domain and for trusted domains password will be discarded).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 252014)
Time Spent: 2h 20m (was: 2h 10m)
> Avoid authentication for connection from the same domain
> --------------------------------------------------------
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
> Reporter: Ashutosh Bapat
> Assignee: Ashutosh Bapat
> Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
