[jira] [Created] (HIVE-29639) Support a pluggable authentication filter for the HiveServer2 WebUI

Sun, 31 May 2026 17:31:16 -0700 

KWON BYUNGCHANG created HIVE-29639:
--------------------------------------

             Summary: Support a pluggable authentication filter for the 
HiveServer2 WebUI
                 Key: HIVE-29639
                 URL: https://issues.apache.org/jira/browse/HIVE-29639
             Project: Hive
          Issue Type: Improvement
            Reporter: KWON BYUNGCHANG


h2.  Problem

In a Kerberized cluster, the HS2 WebUI is typically protected with
SPNEGO (`hive.server2.webui.use.spnego` + keytab/principal). SPNEGO
works fine for command-line / Kerberos clients, but in a browser it is
clunky: end users need a working Kerberos ticket cache on their
workstation, the browser has to be whitelisted for the SPNEGO domain,
and there is no clean way to plug the UI into an organisation's
broader SSO flow.

Elsewhere in the Hadoop ecosystem, this gap is commonly closed by
KnoxSSO in front of Kerberized NameNode / YARN ResourceManager /
Oozie UIs so end users get a single browser SSO experience instead of
raw SPNEGO, while the services themselves stay Kerberized.

HS2 cannot join that story today. There is no supported way to insert
a custom `javax.servlet.Filter` into the WebUI servlet pipeline, so
operators either live with browser SPNEGO

h2. Proposal
Add a configurable `javax.servlet.Filter` slot to the WebUI, mirroring
Spark's `spark.ui.filters`. Any `Filter` can then be
installed via configuration alone, with no code changes


h2. Example (KnoxSSO)

{noformat}
hive.server2.webui.use.custom.auth.filter=true
hive.server2.webui.custom.auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter
hive.server2.webui.custom.auth.filter.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
hive.server2.webui.custom.auth.filter.alt-kerberos.non-browser.user-agents=${hadoop.http.authentication.alt-kerberos.non-browser.user-agents}
hive.server2.webui.custom.auth.filter.signer.secret.provider=${hadoop.http.authentication.signer.secret.provider}
hive.server2.webui.custom.auth.filter.signature.secret.file=${hadoop.http.authentication.signature.secret.file}
hive.server2.webui.custom.auth.filter.authentication.provider.url=${hadoop.http.authentication.authentication.provider.url}
hive.server2.webui.custom.auth.filter.public.key.pem=${hadoop.http.authentication.public.key.pem}
{noformat}




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to