[jira] [Updated] (HIVE-29639) Support a pluggable authentication filter for the HiveServer2 WebUI

Sun, 31 May 2026 17:43:12 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-29639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HIVE-29639:
----------------------------------
    Labels: pull-request-available  (was: )

> Support a pluggable authentication filter for the HiveServer2 WebUI
> -------------------------------------------------------------------
>
>                 Key: HIVE-29639
>                 URL: https://issues.apache.org/jira/browse/HIVE-29639
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: KWON BYUNGCHANG
>            Priority: Major
>              Labels: pull-request-available
>
> h2.  Problem
> In a Kerberized cluster, the HS2 WebUI is typically protected with
> SPNEGO (`hive.server2.webui.use.spnego` + keytab/principal). SPNEGO
> works fine for command-line / Kerberos clients, but in a browser it is
> clunky: end users need a working Kerberos ticket cache on their
> workstation, the browser has to be whitelisted for the SPNEGO domain,
> and there is no clean way to plug the UI into an organisation's
> broader SSO flow.
> Elsewhere in the Hadoop ecosystem, this gap is commonly closed by
> KnoxSSO in front of Kerberized NameNode / YARN ResourceManager /
> Oozie UIs so end users get a single browser SSO experience instead of
> raw SPNEGO, while the services themselves stay Kerberized.
> HS2 cannot join that story today. There is no supported way to insert
> a custom `javax.servlet.Filter` into the WebUI servlet pipeline, so
> operators either live with browser SPNEGO
> h2. Proposal
> Add a configurable `javax.servlet.Filter` slot to the WebUI, mirroring
> Spark's `spark.ui.filters`. Any `Filter` can then be
> installed via configuration alone, with no code changes
> h2. Example (KnoxSSO)
> {noformat}
> hive.server2.webui.use.custom.auth.filter=true
> hive.server2.webui.custom.auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> hive.server2.webui.custom.auth.filter.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
> hive.server2.webui.custom.auth.filter.alt-kerberos.non-browser.user-agents=${hadoop.http.authentication.alt-kerberos.non-browser.user-agents}
> hive.server2.webui.custom.auth.filter.signer.secret.provider=${hadoop.http.authentication.signer.secret.provider}
> hive.server2.webui.custom.auth.filter.signature.secret.file=${hadoop.http.authentication.signature.secret.file}
> hive.server2.webui.custom.auth.filter.authentication.provider.url=${hadoop.http.authentication.authentication.provider.url}
> hive.server2.webui.custom.auth.filter.public.key.pem=${hadoop.http.authentication.public.key.pem}
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to