[
https://issues.apache.org/jira/browse/HIVE-29730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Turoczy updated HIVE-29730:
----------------------------------
Labels: cloud (was: )
> OIDC Authentication and Identity Mapping for HiveServer2 and JDBC Clients
> -------------------------------------------------------------------------
>
> Key: HIVE-29730
> URL: https://issues.apache.org/jira/browse/HIVE-29730
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
> Reporter: Attila Turoczy
> Priority: Major
> Labels: cloud
>
> HiveServer2 already supports JWT-based authentication over HTTP transport.
> However, the current implementation is primarily a bring-your-own-token
> mechanism rather than a complete, production-grade OAuth 2.0 / OpenID Connect
> authentication solution.
> Clients must obtain the JWT externally and pass it to HiveServer2.
> HiveServer2 validates the token using the configured JWKS endpoint and
> derives the session user from the token subject. This provides basic boundary
> authentication, but several capabilities required for secure and
> user-friendly cloud deployments are currently missing or limited.
> The goal of this initiative is to enhance the existing HiveServer2 JWT
> support and provide a complete OIDC-based authentication experience for Hive
> clients, without changing the existing downstream Kerberos, delegation-token,
> or Hadoop execution model.
> Enhance JWT validation with configurable support for:
> * OIDC discovery through {{/.well-known/openid-configuration}}
> * Issuer validation
> * Audience validation
> * Authorized party validation where applicable
> * Scope and role validation
> * {{{}nbf{}}}, expiration, and configurable clock-skew handling
> * Explicitly allowed signing algorithms
> * Multiple trusted issuers or identity providers
> * Automatic JWKS refresh and key rotation
> * Resilient JWKS caching and retry behavior
> * Secure handling of JWT-related configuration properties
> h4. 2. Configurable identity and group mapping (? maybe separate task)
> Allow administrators to configure how JWT claims are mapped to the Hive
> identity.
> Examples:
> {{hive.server2.authentication.jwt.user.claim=preferred_username
> hive.server2.authentication.jwt.groups.claim=groups}}
> The implementation should support common claims such as:
> * {{sub}}
> * {{preferred_username}}
> * {{email}}
> * {{upn}}
> * {{groups}}
> * {{roles}}
> * tenant-related claims
> The resolved identity must be passed consistently to:
> * HiveServer2 sessions
> * Ranger authorization
> * Audit logging
> * Proxy-user and impersonation checks
> Audit records should preserve both the authenticated token identity and the
> effective Hive user when they differ.{{}}
> h4. Backward-compatible migration mode
> The implementation should preserve support for existing authentication
> mechanisms.
> HiveServer2 should continue to support configurations where Kerberos and
> JWT/OIDC authentication are enabled in parallel, allowing customers to
> migrate clients gradually.
> For example:
> {{hive.server2.authentication=KERBEROS,JWT}}
> The authentication mechanism should be selected according to the incoming
> HTTP authorization scheme.
> h3. Motivation
> Kerberos-based client authentication creates significant setup and usability
> challenges in cloud and containerized environments.
> Users may need to configure:
> * Java
> * Kerberos client libraries
> * {{krb5.conf}}
> * DNS and realm resolution
> * Keytabs or ticket initialization
> * Ticket renewal
> OIDC authentication would allow HiveServer2 to integrate with modern identity
> providers such as:
> * Microsoft Entra ID
> * Keycloak
> * Okta
> * Auth0
> * Other standards-compliant OIDC providers
> This would provide a more secure and user-friendly authentication model while
> preserving compatibility with the existing Hive and Hadoop execution
> architecture.
> h3. Expected Benefits
> * Simplified Hive client onboarding
> * Better cloud and Kubernetes integration
> * No requirement to distribute user keytabs
> * Short-lived and centrally managed access tokens
> * Improved support for standalone Beeline distributions
> * Consistent identity mapping between HiveServer2 and Ranger
> * Safer identity-provider key rotation
> * Gradual migration from Kerberos client authentication
> * Standards-based integration with enterprise identity providers
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)