Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
Hi Shiv - I believe that the auth mechanism in play is still considered kerberos in this case. It is just based on a preauthenticated subject rather than a UGI. In the end - it is kerberos. On Tue, Mar 4, 2014 at 2:34 PM, Shivaraju Gowda shiv...@cisco.com wrote: On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68 https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. Shivaraju Gowda wrote: Again this was in my first cut. I was passing the value as tokenStrForm parameter to keep the method signature same. I later moved away from it since it was not elegant and changing the method signature involved broader implications. I felt this functionality didn't belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar) Shivaraju Gowda wrote: Another issue was the dependency on hadoop.core.jar. The calls AuthMethod.valueOf(AuthMethod.class, methodStr) and SaslRpcServer.splitKerberosName(serverPrincipal) in HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar Vaibhav Gumashta wrote: Actually in case of a kerberos setting, those jars are already required in the client's classpath ( https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster- check Running the JDBC Sample Code section). And this jira is applicable only to a kerberos setup. Correct. But my point is we don't have to have that dependency on external Hadoop component for using kerberos in this way. On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. Shivaraju Gowda wrote: Passing it as assumeSubject boolean url property was my first cut. However I thought assumeSubject itself doesn't convey the message for its intended use in and off by itself(need to refer to the documentation) and making it key-value pair might give it some more meaning and there is also a possibility of it being later used for other use cases (say hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin etc.). Shivaraju Gowda wrote: Do you think it might better if we use auth property here, i.e auth=fromKerberosSubject. Right now the only values for auth=noSasl. Vaibhav Gumashta wrote: auth property is kind of meant to map to the hiveserver2 auth modes [none, sasl, nosasl, kerberos]. The way it is used currently is not very clean and there are some jiras out there to clean that up and make the mapping more evident. OK, I look at this feature as an authentication mechanism. We are authenticating using the KerberosSubject passed by the user. - Shivaraju --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 6:50 a.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 6:50 a.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68 https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. Shivaraju Gowda wrote: Again this was in my first cut. I was passing the value as tokenStrForm parameter to keep the method signature same. I later moved away from it since it was not elegant and changing the method signature involved broader implications. I felt this functionality didn't belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar) Shivaraju Gowda wrote: Another issue was the dependency on hadoop.core.jar. The calls AuthMethod.valueOf(AuthMethod.class, methodStr) and SaslRpcServer.splitKerberosName(serverPrincipal) in HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar Actually in case of a kerberos setting, those jars are already required in the client's classpath (https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster - check Running the JDBC Sample Code section). And this jira is applicable only to a kerberos setup. On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. Shivaraju Gowda wrote: Passing it as assumeSubject boolean url property was my first cut. However I thought assumeSubject itself doesn't convey the message for its intended use in and off by itself(need to refer to the documentation) and making it key-value pair might give it some more meaning and there is also a possibility of it being later used for other use cases (say hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin etc.). Shivaraju Gowda wrote: Do you think it might better if we use auth property here, i.e auth=fromKerberosSubject. Right now the only values for auth=noSasl. auth property is kind of meant to map to the hiveserver2 auth modes [none, sasl, nosasl, kerberos]. The way it is used currently is not very clean and there are some jiras out there to clean that up and make the mapping more evident. - Vaibhav --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68 https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. Shivaraju Gowda wrote: Again this was in my first cut. I was passing the value as tokenStrForm parameter to keep the method signature same. I later moved away from it since it was not elegant and changing the method signature involved broader implications. I felt this functionality didn't belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar) Shivaraju Gowda wrote: Another issue was the dependency on hadoop.core.jar. The calls AuthMethod.valueOf(AuthMethod.class, methodStr) and SaslRpcServer.splitKerberosName(serverPrincipal) in HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar Vaibhav Gumashta wrote: Actually in case of a kerberos setting, those jars are already required in the client's classpath (https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster - check Running the JDBC Sample Code section). And this jira is applicable only to a kerberos setup. Correct. But my point is we don't have to have that dependency on external Hadoop component for using kerberos in this way. On Feb. 27, 2014, 4:59 p.m., Vaibhav Gumashta wrote: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. Shivaraju Gowda wrote: Passing it as assumeSubject boolean url property was my first cut. However I thought assumeSubject itself doesn't convey the message for its intended use in and off by itself(need to refer to the documentation) and making it key-value pair might give it some more meaning and there is also a possibility of it being later used for other use cases (say hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin etc.). Shivaraju Gowda wrote: Do you think it might better if we use auth property here, i.e auth=fromKerberosSubject. Right now the only values for auth=noSasl. Vaibhav Gumashta wrote: auth property is kind of meant to map to the hiveserver2 auth modes [none, sasl, nosasl, kerberos]. The way it is used currently is not very clean and there are some jiras out there to clean that up and make the mapping more evident. OK, I look at this feature as an authentication mechanism. We are authenticating using the KerberosSubject passed by the user. - Shivaraju --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 6:50 a.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 6:50 a.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. Shivaraju Gowda wrote: Passing it as assumeSubject boolean url property was my first cut. However I thought assumeSubject itself doesn't convey the message for its intended use in and off by itself(need to refer to the documentation) and making it key-value pair might give it some more meaning and there is also a possibility of it being later used for other use cases (say hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin etc.). Do you think it might better if we use auth property here, i.e auth=fromKerberosSubject. Right now the only values for auth=noSasl. - Shivaraju --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68 https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. Shivaraju Gowda wrote: Again this was in my first cut. I was passing the value as tokenStrForm parameter to keep the method signature same. I later moved away from it since it was not elegant and changing the method signature involved broader implications. I felt this functionality didn't belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar) Another issue was the dependency on hadoop.core.jar. The calls AuthMethod.valueOf(AuthMethod.class, methodStr) and SaslRpcServer.splitKerberosName(serverPrincipal) in HadoopThriftAuthBridge.Client#createClientTransport are from hadoop.core.jar - Shivaraju --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java https://reviews.apache.org/r/18464/#comment66451 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java https://reviews.apache.org/r/18464/#comment66452 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. - Vaibhav Gumashta On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, line 136 https://reviews.apache.org/r/18464/diff/1/?file=503360#file503360line136 I think, instead of having to do identityContext equals fromKerberosSubject, we can just use assumeSubject equals true/false, keeping the default to false. Passing it as assumeSubject boolean url property was my first cut. However I thought assumeSubject itself doesn't convey the message for its intended use in and off by itself(need to refer to the documentation) and making it key-value pair might give it some more meaning and there is also a possibility of it being later used for other use cases (say hypothetically the value can be fromKeyTab, fromTicketCache or fromLogin etc.). On Feb. 28, 2014, 12:59 a.m., Vaibhav Gumashta wrote: service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java, line 68 https://reviews.apache.org/r/18464/diff/1/?file=503361#file503361line68 Can you push this to HadoopThriftAuthBridge.Client#createClientTransport just like the way the else portion does instead of the createSubjectAssumedTransport method? From within the method you can return the TSubjectAssumingTransport. Again this was in my first cut. I was passing the value as tokenStrForm parameter to keep the method signature same. I later moved away from it since it was not elegant and changing the method signature involved broader implications. I felt this functionality didn't belong in Hadoop shim layer. Having the change in there also meant one more jar getting affected(hive-exec.jar) - Shivaraju --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/#review35730 --- On Feb. 25, 2014, 2:50 p.m., Kevin Minder wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
Re: Review Request 18464: Support secure Subject.doAs() in HiveServer2 JDBC client
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18464/ --- (Updated Feb. 25, 2014, 2:50 p.m.) Review request for hive, Kevin Minder and Vaibhav Gumashta. Changes --- Added hive group Bugs: HIVE-6486 https://issues.apache.org/jira/browse/HIVE-6486 Repository: hive-git Description --- Support secure Subject.doAs() in HiveServer2 JDBC client Diffs - jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 17b4d39 service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb service/src/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java PRE-CREATION Diff: https://reviews.apache.org/r/18464/diff/ Testing --- Manual testing Thanks, Kevin Minder
