Attila Turoczy created HIVE-29730:
-------------------------------------

             Summary: OIDC Authentication and Identity Mapping for HiveServer2 
and JDBC Clients
                 Key: HIVE-29730
                 URL: https://issues.apache.org/jira/browse/HIVE-29730
             Project: Hive
          Issue Type: New Feature
          Components: HiveServer2
            Reporter: Attila Turoczy


HiveServer2 already supports JWT-based authentication over HTTP transport. 
However, the current implementation is primarily a bring-your-own-token 
mechanism rather than a complete, production-grade OAuth 2.0 / OpenID Connect 
authentication solution.

Clients must obtain the JWT externally and pass it to HiveServer2. HiveServer2 
validates the token using the configured JWKS endpoint and derives the session 
user from the token subject. This provides basic boundary authentication, but 
several capabilities required for secure and user-friendly cloud deployments 
are currently missing or limited.

The goal of this initiative is to enhance the existing HiveServer2 JWT support 
and provide a complete OIDC-based authentication experience for Hive clients, 
without changing the existing downstream Kerberos, delegation-token, or Hadoop 
execution model.

Enhance JWT validation with configurable support for:
 * OIDC discovery through {{/.well-known/openid-configuration}}

 * Issuer validation

 * Audience validation

 * Authorized party validation where applicable

 * Scope and role validation

 * {{{}nbf{}}}, expiration, and configurable clock-skew handling

 * Explicitly allowed signing algorithms

 * Multiple trusted issuers or identity providers

 * Automatic JWKS refresh and key rotation

 * Resilient JWKS caching and retry behavior

 * Secure handling of JWT-related configuration properties

h4. 2. Configurable identity and group mapping (? maybe separate task)

Allow administrators to configure how JWT claims are mapped to the Hive 
identity.

Examples:

{{hive.server2.authentication.jwt.user.claim=preferred_username
hive.server2.authentication.jwt.groups.claim=groups}}

The implementation should support common claims such as:
 * {{sub}}

 * {{preferred_username}}

 * {{email}}

 * {{upn}}

 * {{groups}}

 * {{roles}}

 * tenant-related claims

The resolved identity must be passed consistently to:
 * HiveServer2 sessions

 * Ranger authorization

 * Audit logging

 * Proxy-user and impersonation checks

Audit records should preserve both the authenticated token identity and the 
effective Hive user when they differ.{{}}
h4. Backward-compatible migration mode

The implementation should preserve support for existing authentication 
mechanisms.

HiveServer2 should continue to support configurations where Kerberos and 
JWT/OIDC authentication are enabled in parallel, allowing customers to migrate 
clients gradually.

For example:

{{hive.server2.authentication=KERBEROS,JWT}}

The authentication mechanism should be selected according to the incoming HTTP 
authorization scheme.
h3. Motivation

Kerberos-based client authentication creates significant setup and usability 
challenges in cloud and containerized environments.

Users may need to configure:
 * Java

 * Kerberos client libraries

 * {{krb5.conf}}

 * DNS and realm resolution

 * Keytabs or ticket initialization

 * Ticket renewal

OIDC authentication would allow HiveServer2 to integrate with modern identity 
providers such as:
 * Microsoft Entra ID

 * Keycloak

 * Okta

 * Auth0

 * Other standards-compliant OIDC providers

This would provide a more secure and user-friendly authentication model while 
preserving compatibility with the existing Hive and Hadoop execution 
architecture.
h3. Expected Benefits
 * Simplified Hive client onboarding

 * Better cloud and Kubernetes integration

 * No requirement to distribute user keytabs

 * Short-lived and centrally managed access tokens

 * Improved support for standalone Beeline distributions

 * Consistent identity mapping between HiveServer2 and Ranger

 * Safer identity-provider key rotation

 * Gradual migration from Kerberos client authentication

 * Standards-based integration with enterprise identity providers

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to