[ 
https://issues.apache.org/jira/browse/HIVE-29730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Turoczy updated HIVE-29730:
----------------------------------
    Labels: cloud  (was: )

> OIDC Authentication and Identity Mapping for HiveServer2 and JDBC Clients
> -------------------------------------------------------------------------
>
>                 Key: HIVE-29730
>                 URL: https://issues.apache.org/jira/browse/HIVE-29730
>             Project: Hive
>          Issue Type: New Feature
>          Components: HiveServer2
>            Reporter: Attila Turoczy
>            Priority: Major
>              Labels: cloud
>
> HiveServer2 already supports JWT-based authentication over HTTP transport. 
> However, the current implementation is primarily a bring-your-own-token 
> mechanism rather than a complete, production-grade OAuth 2.0 / OpenID Connect 
> authentication solution.
> Clients must obtain the JWT externally and pass it to HiveServer2. 
> HiveServer2 validates the token using the configured JWKS endpoint and 
> derives the session user from the token subject. This provides basic boundary 
> authentication, but several capabilities required for secure and 
> user-friendly cloud deployments are currently missing or limited.
> The goal of this initiative is to enhance the existing HiveServer2 JWT 
> support and provide a complete OIDC-based authentication experience for Hive 
> clients, without changing the existing downstream Kerberos, delegation-token, 
> or Hadoop execution model.
> Enhance JWT validation with configurable support for:
>  * OIDC discovery through {{/.well-known/openid-configuration}}
>  * Issuer validation
>  * Audience validation
>  * Authorized party validation where applicable
>  * Scope and role validation
>  * {{{}nbf{}}}, expiration, and configurable clock-skew handling
>  * Explicitly allowed signing algorithms
>  * Multiple trusted issuers or identity providers
>  * Automatic JWKS refresh and key rotation
>  * Resilient JWKS caching and retry behavior
>  * Secure handling of JWT-related configuration properties
> h4. 2. Configurable identity and group mapping (? maybe separate task)
> Allow administrators to configure how JWT claims are mapped to the Hive 
> identity.
> Examples:
> {{hive.server2.authentication.jwt.user.claim=preferred_username
> hive.server2.authentication.jwt.groups.claim=groups}}
> The implementation should support common claims such as:
>  * {{sub}}
>  * {{preferred_username}}
>  * {{email}}
>  * {{upn}}
>  * {{groups}}
>  * {{roles}}
>  * tenant-related claims
> The resolved identity must be passed consistently to:
>  * HiveServer2 sessions
>  * Ranger authorization
>  * Audit logging
>  * Proxy-user and impersonation checks
> Audit records should preserve both the authenticated token identity and the 
> effective Hive user when they differ.{{}}
> h4. Backward-compatible migration mode
> The implementation should preserve support for existing authentication 
> mechanisms.
> HiveServer2 should continue to support configurations where Kerberos and 
> JWT/OIDC authentication are enabled in parallel, allowing customers to 
> migrate clients gradually.
> For example:
> {{hive.server2.authentication=KERBEROS,JWT}}
> The authentication mechanism should be selected according to the incoming 
> HTTP authorization scheme.
> h3. Motivation
> Kerberos-based client authentication creates significant setup and usability 
> challenges in cloud and containerized environments.
> Users may need to configure:
>  * Java
>  * Kerberos client libraries
>  * {{krb5.conf}}
>  * DNS and realm resolution
>  * Keytabs or ticket initialization
>  * Ticket renewal
> OIDC authentication would allow HiveServer2 to integrate with modern identity 
> providers such as:
>  * Microsoft Entra ID
>  * Keycloak
>  * Okta
>  * Auth0
>  * Other standards-compliant OIDC providers
> This would provide a more secure and user-friendly authentication model while 
> preserving compatibility with the existing Hive and Hadoop execution 
> architecture.
> h3. Expected Benefits
>  * Simplified Hive client onboarding
>  * Better cloud and Kubernetes integration
>  * No requirement to distribute user keytabs
>  * Short-lived and centrally managed access tokens
>  * Improved support for standalone Beeline distributions
>  * Consistent identity mapping between HiveServer2 and Ranger
>  * Safer identity-provider key rotation
>  * Gradual migration from Kerberos client authentication
>  * Standards-based integration with enterprise identity providers
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to