[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits

2016-06-01 Thread Sushanth Sowmyan (JIRA) 

[ 
https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15311171#comment-15311171
 ] 

Sushanth Sowmyan commented on HIVE-13418:
-

([~thejas], if there is any work remaining on this bug, please open a further 
new jira for it.)

> HiveServer2 HTTP mode should support X-Forwarded-Host header for 
> authorization/audits
> -
>
> Key: HIVE-13418
> URL: https://issues.apache.org/jira/browse/HIVE-13418
> Project: Hive
>  Issue Type: New Feature
>  Components: Authorization, HiveServer2
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Fix For: 2.1.0
>
> Attachments: HIVE-13418.1.patch
>
>
> Apache Knox acts as a proxy for requests coming from the end users. In these 
> cases, the IP address that HiveServer2 passes to the authorization/audit 
> plugins via the HiveAuthzContext object only the IP address of the proxy, and 
> not the end user.
> For auditing purposes, the IP address of the end user and any proxies in 
> between are useful.
> HiveServer2 should pass the information from  'X-Forwarded-Host' header to 
> the HiveAuthorizer plugins.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits

2016-04-17 Thread Lefty Leverenz (JIRA) 

[ 
https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15244552#comment-15244552
 ] 

Lefty Leverenz commented on HIVE-13418:
---

[~thejas], two days ago you committed this to master.  Are you waiting until a 
branch commit before updating the status?

(See commit 833a7d158b3a8e45f492e7c82640c1a367d79b30.)

> HiveServer2 HTTP mode should support X-Forwarded-Host header for 
> authorization/audits
> -
>
> Key: HIVE-13418
> URL: https://issues.apache.org/jira/browse/HIVE-13418
> Project: Hive
>  Issue Type: New Feature
>  Components: Authorization, HiveServer2
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-13418.1.patch
>
>
> Apache Knox acts as a proxy for requests coming from the end users. In these 
> cases, the IP address that HiveServer2 passes to the authorization/audit 
> plugins via the HiveAuthzContext object only the IP address of the proxy, and 
> not the end user.
> For auditing purposes, the IP address of the end user and any proxies in 
> between are useful.
> HiveServer2 should pass the information from  'X-Forwarded-Host' header to 
> the HiveAuthorizer plugins.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits

2016-04-12 Thread Vaibhav Gumashta (JIRA) 

[ 
https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15238377#comment-15238377
 ] 

Vaibhav Gumashta commented on HIVE-13418:
-

+1. Looks like the test failures are unrelated.

> HiveServer2 HTTP mode should support X-Forwarded-Host header for 
> authorization/audits
> -
>
> Key: HIVE-13418
> URL: https://issues.apache.org/jira/browse/HIVE-13418
> Project: Hive
>  Issue Type: New Feature
>  Components: Authorization, HiveServer2
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-13418.1.patch
>
>
> Apache Knox acts as a proxy for requests coming from the end users. In these 
> cases, the IP address that HiveServer2 passes to the authorization/audit 
> plugins via the HiveAuthzContext object only the IP address of the proxy, and 
> not the end user.
> For auditing purposes, the IP address of the end user and any proxies in 
> between are useful.
> HiveServer2 should pass the information from  'X-Forwarded-Host' header to 
> the HiveAuthorizer plugins.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits

2016-04-11 Thread Hive QA (JIRA) 

[ 
https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15235399#comment-15235399
 ] 

Hive QA commented on HIVE-13418:




Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12797835/HIVE-13418.1.patch

{color:green}SUCCESS:{color} +1 due to 4 test(s) being added or modified.

{color:red}ERROR:{color} -1 due to 29 failed/errored test(s), 9918 tests 
executed
*Failed tests:*
{noformat}
TestMiniTezCliDriver-schema_evol_orc_acidvec_mapwork_part.q-vector_partitioned_date_time.q-vector_non_string_partition.q-and-12-more
 - did not produce a TEST-*.xml file
TestMiniTezCliDriver-vector_acid3.q-vector_decimal_trailing.q-lvj_mapjoin.q-and-12-more
 - did not produce a TEST-*.xml file
org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_index_bitmap3
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_dyn_part_max
org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskSchedulerService.testForcedLocalityPreemption
org.apache.hadoop.hive.metastore.TestFilterHooks.org.apache.hadoop.hive.metastore.TestFilterHooks
org.apache.hadoop.hive.metastore.TestMetaStoreInitListener.testMetaStoreInitListener
org.apache.hadoop.hive.metastore.TestPartitionNameWhitelistValidation.testAppendPartitionWithCommas
org.apache.hadoop.hive.metastore.TestPartitionNameWhitelistValidation.testAppendPartitionWithValidCharacters
org.apache.hadoop.hive.metastore.TestRemoteUGIHiveMetaStoreIpAddress.testIpAddress
org.apache.hadoop.hive.ql.security.TestClientSideAuthorizationProvider.testSimplePrivileges
org.apache.hadoop.hive.ql.security.TestExtendedAcls.org.apache.hadoop.hive.ql.security.TestExtendedAcls
org.apache.hadoop.hive.ql.security.TestFolderPermissions.org.apache.hadoop.hive.ql.security.TestFolderPermissions
org.apache.hadoop.hive.ql.security.TestMetastoreAuthorizationProvider.testSimplePrivileges
org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener.org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener
org.apache.hadoop.hive.ql.security.TestStorageBasedClientSideAuthorizationProvider.testSimplePrivileges
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationDrops.testDropPartition
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProvider.testSimplePrivileges
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProviderWithACL.testSimplePrivileges
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbFailure
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbSuccess
org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadTableFailure
org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testDelegationTokenSharedStore
org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testMetastoreProxyUser
org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testSaslWithHiveMetaStore
org.apache.hive.hcatalog.api.repl.commands.TestCommands.org.apache.hive.hcatalog.api.repl.commands.TestCommands
org.apache.hive.service.TestHS2ImpersonationWithRemoteMS.org.apache.hive.service.TestHS2ImpersonationWithRemoteMS
org.apache.hive.spark.client.TestSparkClient.testJobSubmission
org.apache.hive.spark.client.TestSparkClient.testSyncRpc
{noformat}

Test results: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7547/testReport
Console output: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7547/console
Test logs: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-7547/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 29 tests failed
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12797835 - PreCommit-HIVE-TRUNK-Build

> HiveServer2 HTTP mode should support X-Forwarded-Host header for 
> authorization/audits
> -
>
> Key: HIVE-13418
> URL: https://issues.apache.org/jira/browse/HIVE-13418
> Project: Hive
>  Issue Type: New Feature
>  Components: Authorization, HiveServer2
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
> Attachments: HIVE-13418.1.patch
>
>
> Apache Knox acts as a proxy for requests coming from the end users. In these 
> cases, the IP address that HiveServer2 passes to the authorization/audit 
> plugins via the HiveAuthzContext object only the IP address of the proxy, and 
> not the end user.
> For auditing purposes, the IP

[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits

2016-04-08 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15233229#comment-15233229
 ] 

ASF GitHub Bot commented on HIVE-13418:
---

GitHub user thejasmn opened a pull request:

https://github.com/apache/hive/pull/69

HIVE-13418



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/thejasmn/hive HIVE-13418

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/hive/pull/69.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #69


commit 9afad78243c0eeedd7571ac7961f177ebf20e771
Author: Thejas Nair 
Date:   2016-04-08T06:35:25Z

set x-forwarded-for

commit 400406a0765253f14e570061375923431d7f304c
Author: Thejas Nair 
Date:   2016-04-08T06:38:02Z

set forwarded address in HiveAuthzContext

commit ef438d7498cac59a665b92c5d3e5fffb6bbdac19
Author: Thejas Nair 
Date:   2016-04-08T21:23:55Z

add test in TestThriftHttpCLIService

commit a475bf1d077acf7335f4efcbcdd6bce7e75017fb
Author: Thejas Nair 
Date:   2016-04-08T21:47:34Z

rename impls of ThriftCLIServiceTest

commit eb6982c9f013f02df26ff7ea8d78e658224c4f95
Author: Thejas Nair 
Date:   2016-04-08T21:48:38Z

reorganize   ThriftCLIServiceTest tests

commit a3cac6ef692dcd1c89405e0cead4a0d949613122
Author: Thejas Nair 
Date:   2016-04-08T21:53:47Z

rename test class

commit e31cd18d7fd9be2ba0373949fa2e39d19a4aa943
Author: Thejas Nair 
Date:   2016-04-08T21:53:58Z

new classname

commit c48a21fab62f11f17213f2680cd414e69e155398
Author: Thejas Nair 
Date:   2016-04-09T00:17:55Z

test now checks the forwarded ips passed on

commit 131cd7208cc8e244a312253d63a250d7541f0a90
Author: Thejas Nair 
Date:   2016-04-09T00:19:04Z

fix test imports

commit ac227e05d931a906987a53cfcccf31b37fa8b95e
Author: Thejas Nair 
Date:   2016-04-09T00:40:07Z

fix test compile, post rebase




> HiveServer2 HTTP mode should support X-Forwarded-Host header for 
> authorization/audits
> -
>
> Key: HIVE-13418
> URL: https://issues.apache.org/jira/browse/HIVE-13418
> Project: Hive
>  Issue Type: New Feature
>  Components: Authorization, HiveServer2
>Reporter: Thejas M Nair
>Assignee: Thejas M Nair
>
> Apache Knox acts as a proxy for requests coming from the end users. In these 
> cases, the IP address that HiveServer2 passes to the authorization/audit 
> plugins via the HiveAuthzContext object is the IP address of the proxy, and 
> not the end user.
> For auditing and authorization purposes, the IP address of the end use is 
> more meaningful.
> HiveServer2 should pass the information from  'X-Forwarded-Host' header to 
> the HiveAuthorizer plugins if the request is coming from a trusted proxy.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)