[
https://issues.apache.org/jira/browse/HIVE-26071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17536298#comment-17536298
]
Sourabh Goyal edited comment on HIVE-26071 at 5/12/22 7:09 PM:
---------------------------------------------------------------
[~adondon] : Please find the answers
* Would it be possible to run both protocol at same time (thrift and http?)
- No. Only one mode can be enabled. But if there is a need, it should be
easy to extend the current implementation to support both modes together
* What's about the Authenticator interface to get for example the username or
groups in the jwt claims? For what i saw but i am not sure the Authenticator
interface is quite couple with hadoop/kerberos ugi ?
- You are right, the authentication in JWT is not coupled with Kerberos.
The user is expected to set the username (in the subject field) in the JWT and
send that JWT in the header request to metastore server. The server, after
validating the token, extracts the username from the subject field, executes
the operation as that user via ugi.doAs().
* Is there already a design today to allow like storage based authorization
implementation where authenticator can get information of who is authenticated
but not Hadoop related?
- Not sure if I understand it correctly. In the current implementation,
metastore server during start phase, fetches jwks from a configurable url and
validates all the future JWTs using this set.
Let me know if you have any thoughts/concerns.
was (Author: sourabh912):
[~adondon] : Please find the answers
* Would it be possible to run both protocol at same time (thrift and http?)
- No. Only one mode can be enabled. But if there is a need, it should be
easy to extend the current implementation to support both modes together
* What's about the Authenticator interface to get for example the username or
groups in the jwt claims? For what i saw but i am not sure the Authenticator
interface is quite couple with hadoop/kerberos ugi ?
- You are right, the authentication in JWT is not coupled with Kerberos.
The user is expected to set the username (in the subject field) in the JWT and
send that JWT in the header request to metastore server. The server, after
validating the token, extracts the username from the subject field, executes
the operation as that user via ugi.doAs().
* Is there already a design today to allow like storage based authorization
implementation where authenticator can get information of who is authenticated
but not Hadoop related?
- Not sure if I understand it correctly. In the current implementation,
metastore server during start phase, fetches jwks from a configurable url and
validates all the future JWTs using this set.
Let me know if you have any thoughts/concerns.
> JWT authentication for Thrift over HTTP in HiveMetaStore
> --------------------------------------------------------
>
> Key: HIVE-26071
> URL: https://issues.apache.org/jira/browse/HIVE-26071
> Project: Hive
> Issue Type: New Feature
> Components: Standalone Metastore
> Reporter: Sourabh Goyal
> Assignee: Sourabh Goyal
> Priority: Major
> Labels: pull-request-available
> Time Spent: 7h
> Remaining Estimate: 0h
>
> HIVE-25575 recently added a support for JWT authentication in HS2. This Jira
> aims to add the same feature in HMS
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
