subject:"Review Request 12824\: \[HIVE\-4911\] Enable QOP configuration for Hive Server 2 thrift transport"

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-08-05 Thread Arup Malakar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/
---

(Updated Aug. 5, 2013, 6:54 p.m.)


Review request for hive.


Changes
---

Rebased.


Bugs: HIVE-4911
https://issues.apache.org/jira/browse/HIVE-4911


Repository: hive-git


Description
---

The QoP for hive server 2 should be configurable to enable encryption. A new 
configuration should be exposed "hive.server2.thrift.rpc.protection". This 
would give greater control configuring hive server 2 service.


Diffs (updated)
-

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
555343ebffb9dcd5e58d5b99ce9ca52904f68ecf 
  conf/hive-default.xml.template f01e715e4de95b4011210143f7d3add2d8a4d432 
  jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
00f43511b478c687b7811fc8ad66af2b507a3626 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
cde58c25991641573453217da71a7ac1acf6adfd 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 
cef50f40ccb047a8135f704b2997968a2cf477b8 
  metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java 
88151a1d48b12cf3a8346ae94b6d1a182a331992 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
  service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
379dafb8377aed55e74f0ae18407996bb9e1216f 
  service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
  
shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 1df6993cb9aac1bb195667b3123faee27d657c0a 
  
shims/src/common-secure/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
 3e850ec3991cbb2d4343969ba8fe9df4a7d137b5 
  
shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 
ab7f5c0eb5345e68e3f223c9dfed8414de946661 

Diff: https://reviews.apache.org/r/12824/diff/


Testing
---


Thanks,

Arup Malakar

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-08-02 Thread Arup Malakar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/
---

(Updated Aug. 2, 2013, 10:51 p.m.)


Review request for hive.


Changes
---

1. Incorporated sasl.qop renaming of param
2. Moved getHadoopSaslProperties to HadoopThriftAuthBridge


Bugs: HIVE-4911
https://issues.apache.org/jira/browse/HIVE-4911


Repository: hive-git


Description
---

The QoP for hive server 2 should be configurable to enable encryption. A new 
configuration should be exposed "hive.server2.thrift.rpc.protection". This 
would give greater control configuring hive server 2 service.


Diffs (updated)
-

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
11c31216495d0c4e454f2627af5c93a9f270b1fe 
  conf/hive-default.xml.template 603b475802152a4bd5ab92a4c7146b56f6be020d 
  jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
00f43511b478c687b7811fc8ad66af2b507a3626 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
72eac989394a388e52d3845b02bb38ebeaad 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 
cef50f40ccb047a8135f704b2997968a2cf477b8 
  metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java 
88151a1d48b12cf3a8346ae94b6d1a182a331992 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
  service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
379dafb8377aed55e74f0ae18407996bb9e1216f 
  service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
  
shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 777226f8da0af2235d4294cd6a676fa8192c89e4 
  
shims/src/common-secure/test/org/apache/hadoop/hive/thrift/TestHadoop20SAuthBridge.java
 172e03115372dc2c742469cbc5f0fefd1053163d 
  
shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 
9b0ec0a75563b41339e6fc747556440fdf83e31e 

Diff: https://reviews.apache.org/r/12824/diff/


Testing
---


Thanks,

Arup Malakar

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-24 Thread Thejas Nair



> On July 23, 2013, 9:48 p.m., Thejas Nair wrote:
> > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 142
> > 
> >
> > the HIVE_AUTH_TYPE env variable is called "auth".
> > Should we use something more descriptive like "sasl.qop" as the 
> > variable that sets the QOP level.
> >
> 
> Arup Malakar wrote:
> I am totally agree that a different key name should be used for qop 
> settings. As the current HIVE_AUTH_TYPE configuration key is overloaded. 
> Original idea was to clean up the configuration keys which is being taken 
> care of in: https://issues.apache.org/jira/browse/HIVE-4232. Once the auth 
> params are taken care of, I had plans of introducing a new parameter called 
> qop which would be used to configure the QoP alone. But since HIVE-4232 is 
> not yet committed, I ended up using the HIVE_AUTH_TYPE. I can rebase if 
> HIVE-4232 goes in.
> 
> Arup Malakar wrote:
> I am totally agree that a different key name should be used for qop 
> settings. As the current HIVE_AUTH_TYPE configuration key is overloaded. 
> Original idea was to clean up the configuration keys which is being taken 
> care of in: https://issues.apache.org/jira/browse/HIVE-4232. Once the auth 
> params are taken care of, I had plans of introducing a new parameter called 
> qop which would be used to configure the QoP alone. But since HIVE-4232 is 
> not yet committed, I ended up using the HIVE_AUTH_TYPE. I can rebase if 
> HIVE-4232 goes in.

Once this becomes part of a release, we would need to worry about backward 
compatibility. ie, we would need to continue to support "auth=auth" , 
"auth=auth-int" etc .
I think using sasl.qop as parameter name instead would makes sense with or 
without HIVE-4232 changes.


- Thejas


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/#review23711
---


On July 24, 2013, 4:43 p.m., Arup Malakar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/12824/
> ---
> 
> (Updated July 24, 2013, 4:43 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-4911
> https://issues.apache.org/jira/browse/HIVE-4911
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> The QoP for hive server 2 should be configurable to enable encryption. A new 
> configuration should be exposed "hive.server2.thrift.rpc.protection". This 
> would give greater control configuring hive server 2 service.
> 
> 
> Diffs
> -
> 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
> 11c31216495d0c4e454f2627af5c93a9f270b1fe 
>   conf/hive-default.xml.template 603b475802152a4bd5ab92a4c7146b56f6be020d 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
> 00f43511b478c687b7811fc8ad66af2b507a3626 
>   metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
> 72eac989394a388e52d3845b02bb38ebeaad 
>   
> metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 
> cef50f40ccb047a8135f704b2997968a2cf477b8 
>   metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java 
> 88151a1d48b12cf3a8346ae94b6d1a182a331992 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
> 1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
> 379dafb8377aed55e74f0ae18407996bb9e1216f 
>   service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
>   
> shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  777226f8da0af2235d4294cd6a676fa8192c89e4 
>   
> shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
>  9b0ec0a75563b41339e6fc747556440fdf83e31e 
> 
> Diff: https://reviews.apache.org/r/12824/diff/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Arup Malakar
> 
>

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-24 Thread Arup Malakar

> On July 23, 2013, 9:48 p.m., Thejas Nair wrote:
> > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 142
> > 
> >
> > the HIVE_AUTH_TYPE env variable is called "auth".
> > Should we use something more descriptive like "sasl.qop" as the 
> > variable that sets the QOP level.
> >
> 
> Arup Malakar wrote:
> I am totally agree that a different key name should be used for qop 
> settings. As the current HIVE_AUTH_TYPE configuration key is overloaded. 
> Original idea was to clean up the configuration keys which is being taken 
> care of in: https://issues.apache.org/jira/browse/HIVE-4232. Once the auth 
> params are taken care of, I had plans of introducing a new parameter called 
> qop which would be used to configure the QoP alone. But since HIVE-4232 is 
> not yet committed, I ended up using the HIVE_AUTH_TYPE. I can rebase if 
> HIVE-4232 goes in.

I am totally agree that a different key name should be used for qop settings. 
As the current HIVE_AUTH_TYPE configuration key is overloaded. Original idea 
was to clean up the configuration keys which is being taken care of in: 
https://issues.apache.org/jira/browse/HIVE-4232. Once the auth params are taken 
care of, I had plans of introducing a new parameter called qop which would be 
used to configure the QoP alone. But since HIVE-4232 is not yet committed, I 
ended up using the HIVE_AUTH_TYPE. I can rebase if HIVE-4232 goes in.

> On July 23, 2013, 9:48 p.m., Thejas Nair wrote:
> > jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 142
> > 
> >
> > the HIVE_AUTH_TYPE env variable is called "auth".
> > Should we use something more descriptive like "sasl.qop" as the 
> > variable that sets the QOP level.
> >
> 
> Arup Malakar wrote:
> I am totally agree that a different key name should be used for qop 
> settings. As the current HIVE_AUTH_TYPE configuration key is overloaded. 
> Original idea was to clean up the configuration keys which is being taken 
> care of in: https://issues.apache.org/jira/browse/HIVE-4232. Once the auth 
> params are taken care of, I had plans of introducing a new parameter called 
> qop which would be used to configure the QoP alone. But since HIVE-4232 is 
> not yet committed, I ended up using the HIVE_AUTH_TYPE. I can rebase if 
> HIVE-4232 goes in.

I am totally agree that a different key name should be used for qop settings. 
As the current HIVE_AUTH_TYPE configuration key is overloaded. Original idea 
was to clean up the configuration keys which is being taken care of in: 
https://issues.apache.org/jira/browse/HIVE-4232. Once the auth params are taken 
care of, I had plans of introducing a new parameter called qop which would be 
used to configure the QoP alone. But since HIVE-4232 is not yet committed, I 
ended up using the HIVE_AUTH_TYPE. I can rebase if HIVE-4232 goes in.

> On July 23, 2013, 9:48 p.m., Thejas Nair wrote:
> > shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java,
> >  line 111
> > 
> >
> > This function is called from hive metastore client. Using 
> > SaslRpcServer.SASL_PROPS here means that setting hadoop.rpc.protection will 
> > determine the QOP level, if we make a call to SaslRpcServer.init(conf) from 
> > anywhere in the code. But that function is not being called.
> > 
> > I think it makes sense to use hadoop.rpc.protection for metastore QOP, 
> > since metastore usually not exposed 'outside' the cluster unlike hive 
> > server2. It is often viewed as something 'inside the cluster'.
> > 
> > Should we change this function to take in a configuration object and 
> > use that to call SaslRpcServer.init(conf) ?

The current createClientTransport method (without this patch) uses 
SaslRpcServer.SASL_PROPS too, but it doesn't call SaslRpcServer.init(conf) so I 
assumed SaslRpcServer.init(conf) is being called before reaching this method. 
But looking at https://issues.apache.org/jira/browse/HIVE-4232 I realized that 
this is indeed a bug in current code.

Rather than doing init() in createTransportFactory() and 
createClientTransport() I removed the default method that uses 
SaslRpcServer.SASL_PROPS. Both these methods now only takes Map. In case of both metastore client/server the code gets the Sasl 
propeties from MetaStoreUtils.getMetaStoreSaslProperties(conf) and passes it to 
the methods in HadoopThriftAuthBridge20S. 
Reasons:
1. We could remove the redundant methods that defaults to 
SaslRpcServer.SASL_PROPS
2. Changing meta store to use different configuration can be easily 
accomplished by modifying in only one place 
MetaStoreUtils.getMetaStoreSaslProperties(conf)

Let me know what you think of it.

I have a question though, is it okay to access SaslRpcSercer.SASL_PROPS from 
Met

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-24 Thread Arup Malakar



> On July 23, 2013, 9:54 p.m., Thejas Nair wrote:
> > common/src/java/org/apache/hadoop/hive/conf/HiveConf.java, line 728
> > 
> >
> > should we just call this 
> > hive.server2.thrift.sasl.qop ? That seems more self describing.
> >

I derived the name from "hadoop.rpc.protection", but I totally agree that 
hadoop.rpc.protection itself was a bit of misnomer. And using sasl.qop is 
self-describing and people can easily relate this to auth, auth-int, auth-conf 
etc.


- Arup


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/#review23722
---


On July 24, 2013, 4:43 p.m., Arup Malakar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/12824/
> ---
> 
> (Updated July 24, 2013, 4:43 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-4911
> https://issues.apache.org/jira/browse/HIVE-4911
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> The QoP for hive server 2 should be configurable to enable encryption. A new 
> configuration should be exposed "hive.server2.thrift.rpc.protection". This 
> would give greater control configuring hive server 2 service.
> 
> 
> Diffs
> -
> 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
> 11c31216495d0c4e454f2627af5c93a9f270b1fe 
>   conf/hive-default.xml.template 603b475802152a4bd5ab92a4c7146b56f6be020d 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
> 00f43511b478c687b7811fc8ad66af2b507a3626 
>   metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
> 72eac989394a388e52d3845b02bb38ebeaad 
>   
> metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 
> cef50f40ccb047a8135f704b2997968a2cf477b8 
>   metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java 
> 88151a1d48b12cf3a8346ae94b6d1a182a331992 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
> 1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
> 379dafb8377aed55e74f0ae18407996bb9e1216f 
>   service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
>   
> shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  777226f8da0af2235d4294cd6a676fa8192c89e4 
>   
> shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
>  9b0ec0a75563b41339e6fc747556440fdf83e31e 
> 
> Diff: https://reviews.apache.org/r/12824/diff/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Arup Malakar
> 
>

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-24 Thread Arup Malakar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/
---

(Updated July 24, 2013, 4:43 p.m.)


Review request for hive.


Changes
---

Thank you Thejas for the review. I have fixed incorporated most of them except 
the HIVE_AUTH_TYPE comment. Let me know what you think would be the best 
approach given HIVE-4232 is not committed.


Bugs: HIVE-4911
https://issues.apache.org/jira/browse/HIVE-4911


Repository: hive-git


Description
---

The QoP for hive server 2 should be configurable to enable encryption. A new 
configuration should be exposed "hive.server2.thrift.rpc.protection". This 
would give greater control configuring hive server 2 service.


Diffs (updated)
-

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
11c31216495d0c4e454f2627af5c93a9f270b1fe 
  conf/hive-default.xml.template 603b475802152a4bd5ab92a4c7146b56f6be020d 
  jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
00f43511b478c687b7811fc8ad66af2b507a3626 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java 
72eac989394a388e52d3845b02bb38ebeaad 
  metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java 
cef50f40ccb047a8135f704b2997968a2cf477b8 
  metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java 
88151a1d48b12cf3a8346ae94b6d1a182a331992 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
  service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
379dafb8377aed55e74f0ae18407996bb9e1216f 
  service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
  
shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 777226f8da0af2235d4294cd6a676fa8192c89e4 
  
shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 
9b0ec0a75563b41339e6fc747556440fdf83e31e 

Diff: https://reviews.apache.org/r/12824/diff/


Testing
---


Thanks,

Arup Malakar

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-23 Thread Thejas Nair


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/#review23722
---



common/src/java/org/apache/hadoop/hive/conf/HiveConf.java


should we just call this 
hive.server2.thrift.sasl.qop ? That seems more self describing.



- Thejas Nair


On July 22, 2013, 8:56 p.m., Arup Malakar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/12824/
> ---
> 
> (Updated July 22, 2013, 8:56 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-4911
> https://issues.apache.org/jira/browse/HIVE-4911
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> The QoP for hive server 2 should be configurable to enable encryption. A new 
> configuration should be exposed "hive.server2.thrift.rpc.protection". This 
> would give greater control configuring hive server 2 service.
> 
> 
> Diffs
> -
> 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
> 11c31216495d0c4e454f2627af5c93a9f270b1fe 
>   data/conf/hive-site.xml 4e6ff16135833da1a4df12a12a6fe59ad4f870ba 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
> 00f43511b478c687b7811fc8ad66af2b507a3626 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
> 1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
> 379dafb8377aed55e74f0ae18407996bb9e1216f 
>   service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
>   
> shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  777226f8da0af2235d4294cd6a676fa8192c89e4 
>   
> shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
>  9b0ec0a75563b41339e6fc747556440fdf83e31e 
> 
> Diff: https://reviews.apache.org/r/12824/diff/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Arup Malakar
> 
>

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-23 Thread Thejas Nair

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/#review23711
---

data/conf/hive-site.xml

This change should go into conf/hive-default.xml.template . 
data/conf/hive-site.xml is meant to be used for overriding config 
parameters for the tests. In this case as default value is being used, this 
file does not need changing.

jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java

the HIVE_AUTH_TYPE env variable is called "auth".
Should we use something more descriptive like "sasl.qop" as the variable 
that sets the QOP level.

jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java

It is a good general practice to chain the exceptions. 
- 
throw new SQLException("Invalid " + HIVE_AUTH_TYPE + " parameter. " + 
e.getMessage(), "42000", e);

service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java

I think hadoop.rpc.protection being set to a higher level than 
hive.server2.thrift.rpc.protection does not make sense in most situations (you 
would want to have more security in the transport that is likely to be more 
unsecure. THe HS2 -> client transport could be over a corporate wide wi-fi 
network)

Should we warn if such a configuration is seen ?

shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java

This function is called from hive metastore client. Using 
SaslRpcServer.SASL_PROPS here means that setting hadoop.rpc.protection will 
determine the QOP level, if we make a call to SaslRpcServer.init(conf) from 
anywhere in the code. But that function is not being called.

I think it makes sense to use hadoop.rpc.protection for metastore QOP, 
since metastore usually not exposed 'outside' the cluster unlike hive server2. 
It is often viewed as something 'inside the cluster'.

Should we change this function to take in a configuration object and use 
that to call SaslRpcServer.init(conf) ?

- Thejas Nair

On July 22, 2013, 8:56 p.m., Arup Malakar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/12824/
> ---
> 
> (Updated July 22, 2013, 8:56 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-4911
> https://issues.apache.org/jira/browse/HIVE-4911
> 
> 
> Repository: hive-git
> 
> 
> Description
> ---
> 
> The QoP for hive server 2 should be configurable to enable encryption. A new 
> configuration should be exposed "hive.server2.thrift.rpc.protection". This 
> would give greater control configuring hive server 2 service.
> 
> 
> Diffs
> -
> 
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
> 11c31216495d0c4e454f2627af5c93a9f270b1fe 
>   data/conf/hive-site.xml 4e6ff16135833da1a4df12a12a6fe59ad4f870ba 
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
> 00f43511b478c687b7811fc8ad66af2b507a3626 
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
> 1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
> 379dafb8377aed55e74f0ae18407996bb9e1216f 
>   service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
>   
> shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
>  777226f8da0af2235d4294cd6a676fa8192c89e4 
>   
> shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java
>  9b0ec0a75563b41339e6fc747556440fdf83e31e 
> 
> Diff: https://reviews.apache.org/r/12824/diff/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Arup Malakar
> 
>

Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

2013-07-22 Thread Arup Malakar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/
---

Review request for hive.


Bugs: HIVE-4911
https://issues.apache.org/jira/browse/HIVE-4911


Repository: hive-git


Description
---

The QoP for hive server 2 should be configurable to enable encryption. A new 
configuration should be exposed "hive.server2.thrift.rpc.protection". This 
would give greater control configuring hive server 2 service.


Diffs
-

  common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
11c31216495d0c4e454f2627af5c93a9f270b1fe 
  data/conf/hive-site.xml 4e6ff16135833da1a4df12a12a6fe59ad4f870ba 
  jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
00f43511b478c687b7811fc8ad66af2b507a3626 
  service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 
1809e1b26ceee5de14a354a0e499aa8c0ab793bf 
  service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 
379dafb8377aed55e74f0ae18407996bb9e1216f 
  service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION 
  
shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
 777226f8da0af2235d4294cd6a676fa8192c89e4 
  
shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 
9b0ec0a75563b41339e6fc747556440fdf83e31e 

Diff: https://reviews.apache.org/r/12824/diff/


Testing
---


Thanks,

Arup Malakar

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

9 matches

Site Navigation

Mail list logo

Footer information