[jira] [Commented] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16426805#comment-16426805 ] Puneet Gupta commented on LENS-1506: Committed. Thanks [~ankitkailaswar] > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Fix For: 2.8 > > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506.4.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16426800#comment-16426800 ] Hadoop QA commented on LENS-1506: - Applied patch: [Lens-1506.4.patch|https://issues.apache.org/jira/secure/attachment/12917678/Lens-1506.4.patch] and ran command: mvn clean install -fae. Result: Success. Build Job: https://builds.apache.org/job/PreCommit-Lens-Build/1509/ > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506.4.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16423925#comment-16423925 ] Ankit Kailaswar commented on LENS-1506: --- Taken patch from review board and attaching. > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16400337#comment-16400337 ] Puneet Gupta commented on LENS-1506: [~ankitkailaswar] This review request covers all the changes 1- 4 ? > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16400034#comment-16400034 ] Ankit Kailaswar commented on LENS-1506: --- review request : https://reviews.apache.org/r/66081/ > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
