[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=260986&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-260986 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 16/Jun/19 02:58 Start Date: 16/Jun/19 02:58 Worklog Time Spent: 10m Work Description: prasanthj commented on pull request #675: Revert "HIVE-21783: Accept Hive connections from the same domain without authentication." URL: https://github.com/apache/hive/pull/675 Reverts apache/hive#648 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 260986) Time Spent: 4h (was: 3h 50m) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Fix For: 4.0.0 > > Attachments: HIVE-21783.01.patch, HIVE-21783.02.patch > > Time Spent: 4h > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=260987&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-260987 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 16/Jun/19 02:58 Start Date: 16/Jun/19 02:58 Worklog Time Spent: 10m Work Description: prasanthj commented on pull request #675: Revert "HIVE-21783: Accept Hive connections from the same domain without authentication." URL: https://github.com/apache/hive/pull/675 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 260987) Time Spent: 4h 10m (was: 4h) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Fix For: 4.0.0 > > Attachments: HIVE-21783.01.patch, HIVE-21783.02.patch > > Time Spent: 4h 10m > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=260985&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-260985 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 16/Jun/19 02:57 Start Date: 16/Jun/19 02:57 Worklog Time Spent: 10m Work Description: prasanthj commented on pull request #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 260985) Time Spent: 3h 50m (was: 3h 40m) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Fix For: 4.0.0 > > Attachments: HIVE-21783.01.patch, HIVE-21783.02.patch > > Time Spent: 3h 50m > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=253941&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-253941 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 04/Jun/19 18:37 Start Date: 04/Jun/19 18:37 Worklog Time Spent: 10m Work Description: odraese commented on issue #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648#issuecomment-498792072 Thanks for updating the config description. +1 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 253941) Time Spent: 3h 40m (was: 3.5h) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Attachments: HIVE-21783.01.patch, HIVE-21783.02.patch > > Time Spent: 3h 40m > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=253940&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-253940 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 04/Jun/19 18:37 Start Date: 04/Jun/19 18:37 Worklog Time Spent: 10m Work Description: odraese commented on issue #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648#issuecomment-498792072 Thanks for updating the config description. + 1 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 253940) Time Spent: 3.5h (was: 3h 20m) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Attachments: HIVE-21783.01.patch, HIVE-21783.02.patch > > Time Spent: 3.5h > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=253588&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-253588 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 04/Jun/19 07:17 Start Date: 04/Jun/19 07:17 Worklog Time Spent: 10m Work Description: prasanthj commented on issue #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648#issuecomment-498552110 lgtm, +1 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 253588) Time Spent: 3h 20m (was: 3h 10m) > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch > > Time Spent: 3h 20m > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252947&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252947
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 03/Jun/19 06:42
Start Date: 03/Jun/19 06:42
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289704328
##
File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
##
@@ -3468,6 +3468,10 @@ private static void
populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
+HIVE_SERVER2_TRUST_DOMAIN("hive.server2.trust.domain", "",
+"Specifies the host or a domain to trust connections from.
Authentication is skipped " +
+"for any connection coming from this domain or the host.
By default it is " +
+"empty, which means that all the connections to
HiveServer2 are authenticated."),
Review comment:
Done.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252947)
Time Spent: 3h 10m (was: 3h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252946&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252946
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 03/Jun/19 06:41
Start Date: 03/Jun/19 06:41
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289704300
##
File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
##
@@ -3468,6 +3468,10 @@ private static void
populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
+HIVE_SERVER2_TRUST_DOMAIN("hive.server2.trust.domain", "",
Review comment:
Done.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252946)
Time Spent: 3h (was: 2h 50m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252944&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252944
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 03/Jun/19 06:41
Start Date: 03/Jun/19 06:41
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289704206
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
return;
}
}
- // If the cookie based authentication is already enabled, parse the
- // request and validate the request cookies.
- if (isCookieAuthEnabled) {
-clientUserName = validateCookie(request);
-requireNewCookie = (clientUserName == null);
-if (requireNewCookie) {
- LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
-}
- }
- // If the cookie based authentication is not enabled or the request does
- // not have a valid cookie, use the kerberos or password based
authentication
- // depending on the server setup.
- if (clientUserName == null) {
-// For a kerberos setup
-if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
-clientUserName = doTokenAuth(request, response);
- } else {
-clientUserName = doKerberosAuth(request);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+ // Skip authentication if the connection is from the trusted domain
+ if (!trustedDomain.isEmpty() &&
+ PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(),
trustedDomain)) {
+LOG.info("No authentication performed because the connecting host " +
request.getRemoteHost() +
Review comment:
Thanks for the detailed explanation.
Here's slight explanation for your "We can only support this for
non-kerberos auth mode (password based)".
We can support this independent of the authentication method configured for
the HiveServer2 to which the client is connecting. But the connection from a
trusted domain should connect as if it's connecting with NOSASL in HTTP mode
and NONE authentication in binary mode.
This means that when the HS2 is configured to use kerberos, there is no way
that a client can connects from a trusted domain and provides kerberos
credentials. It *has to* provide credentials as if it's a password based
authentication (but password will not be used if provided). Any connection from
non-trusted domain should provide kerberos credentials. I think this slight
asymmetry is fine for our use case.
When HS2 is configured to use password based authentication, there's no
difference between a connection from a trusted domain and a connection from
non-trusted domain.
Rest of your explanation makes sense. I have changed the code accordingly.
Please let me know if we need any changes to the config description.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252944)
Time Spent: 2h 50m (was: 2h 40m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252909&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252909
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 03/Jun/19 05:15
Start Date: 03/Jun/19 05:15
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289689881
##
File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
##
@@ -3468,6 +3468,10 @@ private static void
populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
+HIVE_SERVER2_TRUST_DOMAIN("hive.server2.trust.domain", "",
+"Specifies the host or a domain to trust connections from.
Authentication is skipped " +
+"for any connection coming from this domain or the host.
By default it is " +
+"empty, which means that all the connections to
HiveServer2 are authenticated."),
Review comment:
Hmm. I have rephrased the explanation, (also incorporating the request from
@prasanthj. Please check if this conveys the right meaning.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252909)
Time Spent: 2h 40m (was: 2.5h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252907&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252907
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 03/Jun/19 04:45
Start Date: 03/Jun/19 04:45
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289686372
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -65,16 +70,65 @@ public static TTransportFactory
getPlainTransportFactory(String authTypeStr)
return saslFactory;
}
+ static TTransportFactory getDualPlainTransportFactory(TTransportFactory
otherTrans,
+String trustedDomain)
+ throws LoginException {
+LOG.info("Created additional transport factory for skipping authentication
when client " +
+"connection is from the same domain.");
+return new DualSaslTransportFactory(otherTrans, trustedDomain);
+ }
+
public static TTransport getPlainTransport(String username, String password,
TTransport underlyingTransport) throws SaslException {
return new TSaslClientTransport("PLAIN", null, null, null, new
HashMap(),
new PlainCallbackHandler(username, password), underlyingTransport);
}
+ // Return true if the remote host is from the trusted domain, i.e. host URL
has the same
+ // suffix as the trusted domain.
+ static public boolean isHostFromTrustedDomain(String remoteHost, String
trustedDomain) {
+return remoteHost.endsWith(trustedDomain);
+ }
+
private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ static final class DualSaslTransportFactory extends TTransportFactory {
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String trustedDomain;
+
+DualSaslTransportFactory(TTransportFactory otherFactory, String
trustedDomain)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.trustedDomain = trustedDomain;
+}
+
+@Override
+public TTransport getTransport(final TTransport trans) {
+ TSocket tSocket = null;
+ // Attempt to avoid authentication if only we can fetch the client IP
address and it
+ // happens to be from the same domain as the server.
+ if (trans instanceof TSocket) {
+tSocket = (TSocket) trans;
+ } else if (trans instanceof TSaslServerTransport) {
+TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+ }
+ String remoteHost = tSocket != null ?
+ tSocket.getSocket().getInetAddress().getCanonicalHostName() :
null;
+ if (remoteHost != null && isHostFromTrustedDomain(remoteHost,
trustedDomain)) {
+LOG.info("No authentication performed because the connecting host " +
remoteHost + " is " +
+"from the trusted domain " + trustedDomain);
+return noAuthFactory.getTransport(trans);
+ } else {
Review comment:
Right, done.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252907)
Time Spent: 2.5h (was: 2h 20m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252014&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252014
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 31/May/19 19:48
Start Date: 31/May/19 19:48
Worklog Time Spent: 10m
Work Description: prasanthj commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289528707
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
return;
}
}
- // If the cookie based authentication is already enabled, parse the
- // request and validate the request cookies.
- if (isCookieAuthEnabled) {
-clientUserName = validateCookie(request);
-requireNewCookie = (clientUserName == null);
-if (requireNewCookie) {
- LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
-}
- }
- // If the cookie based authentication is not enabled or the request does
- // not have a valid cookie, use the kerberos or password based
authentication
- // depending on the server setup.
- if (clientUserName == null) {
-// For a kerberos setup
-if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
-clientUserName = doTokenAuth(request, response);
- } else {
-clientUserName = doKerberosAuth(request);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+ // Skip authentication if the connection is from the trusted domain
+ if (!trustedDomain.isEmpty() &&
+ PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(),
trustedDomain)) {
+LOG.info("No authentication performed because the connecting host " +
request.getRemoteHost() +
Review comment:
We can only support this for non-kerberos auth mode (password based) and
look for "Authorization: Basic" header. Extract the username and discard the
password. If cookie comes along with the request, we can use the username from
the cookie.
My understanding here is that, a new request comes in with "Authorization:
Basic" header, we trust the domain, extract the username from auth header,
generate a cookie and respond with cookie. If a new request comes back with the
cookie, validate the cookie, extract the user name and we are done.
We should set the expectation from clients here in the config description
(whether clients should send basic auth header and that password will be used
if not from trusted domain and for trusted domains password will be discarded).
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 252014)
Time Spent: 2h 20m (was: 2h 10m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=251856&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-251856
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 31/May/19 16:14
Start Date: 31/May/19 16:14
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289455198
##
File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
##
@@ -3468,6 +3468,10 @@ private static void
populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
+HIVE_SERVER2_TRUST_DOMAIN("hive.server2.trust.domain", "",
Review comment:
Maybe we should call this trusted.domain (to be consistent with code)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 251856)
Time Spent: 2h 10m (was: 2h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=251854&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-251854
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 31/May/19 16:14
Start Date: 31/May/19 16:14
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289455006
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -65,16 +70,65 @@ public static TTransportFactory
getPlainTransportFactory(String authTypeStr)
return saslFactory;
}
+ static TTransportFactory getDualPlainTransportFactory(TTransportFactory
otherTrans,
+String trustedDomain)
+ throws LoginException {
+LOG.info("Created additional transport factory for skipping authentication
when client " +
+"connection is from the same domain.");
+return new DualSaslTransportFactory(otherTrans, trustedDomain);
+ }
+
public static TTransport getPlainTransport(String username, String password,
TTransport underlyingTransport) throws SaslException {
return new TSaslClientTransport("PLAIN", null, null, null, new
HashMap(),
new PlainCallbackHandler(username, password), underlyingTransport);
}
+ // Return true if the remote host is from the trusted domain, i.e. host URL
has the same
+ // suffix as the trusted domain.
+ static public boolean isHostFromTrustedDomain(String remoteHost, String
trustedDomain) {
+return remoteHost.endsWith(trustedDomain);
+ }
+
private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ static final class DualSaslTransportFactory extends TTransportFactory {
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String trustedDomain;
+
+DualSaslTransportFactory(TTransportFactory otherFactory, String
trustedDomain)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.trustedDomain = trustedDomain;
+}
+
+@Override
+public TTransport getTransport(final TTransport trans) {
+ TSocket tSocket = null;
+ // Attempt to avoid authentication if only we can fetch the client IP
address and it
+ // happens to be from the same domain as the server.
+ if (trans instanceof TSocket) {
+tSocket = (TSocket) trans;
+ } else if (trans instanceof TSaslServerTransport) {
+TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+ }
+ String remoteHost = tSocket != null ?
+ tSocket.getSocket().getInetAddress().getCanonicalHostName() :
null;
+ if (remoteHost != null && isHostFromTrustedDomain(remoteHost,
trustedDomain)) {
+LOG.info("No authentication performed because the connecting host " +
remoteHost + " is " +
+"from the trusted domain " + trustedDomain);
+return noAuthFactory.getTransport(trans);
+ } else {
Review comment:
We don't need this else block. Just return the
otherFactory.getTransport(trans)
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 251854)
Time Spent: 1h 50m (was: 1h 40m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=251855&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-251855
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 31/May/19 16:14
Start Date: 31/May/19 16:14
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289455397
##
File path: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
##
@@ -3468,6 +3468,10 @@ private static void
populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal
" (Use with property
hive.server2.custom.authentication.class)\n" +
" PAM: Pluggable authentication module\n" +
" NOSASL: Raw transport"),
+HIVE_SERVER2_TRUST_DOMAIN("hive.server2.trust.domain", "",
+"Specifies the host or a domain to trust connections from.
Authentication is skipped " +
+"for any connection coming from this domain or the host.
By default it is " +
+"empty, which means that all the connections to
HiveServer2 are authenticated."),
Review comment:
Explaining the logic that this property provides a suffix (for endswith
check) rather than requiring an exact host name, could help.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 251855)
Time Spent: 2h (was: 1h 50m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=250868&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-250868
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 30/May/19 09:54
Start Date: 30/May/19 09:54
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288928695
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
Review comment:
Not sure. Let me try not using public.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 250868)
Time Spent: 1h 20m (was: 1h 10m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=250870&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-250870
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 30/May/19 09:54
Start Date: 30/May/19 09:54
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288928865
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String hiveHost;
+
+public DualSaslTransportFactory(TTransportFactory otherFactory, String
hiveHost)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.hiveHost = hiveHost;
+}
+
+// Return true if the IP address is from the same domain as the server.
+private boolean isSameDomainConnection(InetAddress remoteInetAddress) {
+ String[] hiveHostSplit = null;
+ if (hiveHost != null) {
+hiveHostSplit = hiveHost.split("\\.");
+ }
+
+ String clientHostName = remoteInetAddress.getCanonicalHostName();
+ String[] clientHostSplit = null;
+ if (clientHostName != null) {
+clientHostSplit = clientHostName.split("\\.");
+ }
+
+ // TODO: the callers should also pass the server address or obtain in by
using some other
+ // method. Then check whether the connection's remote address is from
the same domain as
+ // the server. For now, for the sake of testing, return true. We need
to understand what
+ // exactly it means to have connection from the same domain.
+ // For now, two hosts are in the same domain if the last two parts in
their hostname are same.
+ if (hiveHostSplit.length >= 2 && clientHostSplit.length >= 2) {
+if (hiveHostSplit[0] != null &&
hiveHostSplit[0].equalsIgnoreCase(clientHostSplit[0]) &&
+hiveHostSplit[1] != null &&
hiveHostSplit[1].equalsIgnoreCase(clientHostSplit[1])) {
+ return true;
+}
+ }
+
+ return false;
+}
+
+@Override
+public TTransport getTransport(final TTransport trans) {
+ TSocket tSocket = null;
+ // Attempt to avoid authentication if only we can fetch the client IP
address and it
+ // happens to be from the same domain as the server.
+ if (trans instanceof TSocket) {
+tSocket = (TSocket) trans;
+ } else if (trans instanceof TSaslServerTransport) {
+TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+ }
+ InetAddress remoteAddress = tSocket != null ?
tSocket.getSocket().getInetAddress() : null;
+ if (remoteAddress != null && isSameDomainConnection(remoteAddress)) {
+LOG.info("No authentication performed because the client connection is
from the same " +
Review comment:
Done.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 250870)
Time Spent: 1h 40m (was: 1.5h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=250869&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-250869
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 30/May/19 09:54
Start Date: 30/May/19 09:54
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288928805
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String hiveHost;
+
+public DualSaslTransportFactory(TTransportFactory otherFactory, String
hiveHost)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.hiveHost = hiveHost;
+}
+
+// Return true if the IP address is from the same domain as the server.
+private boolean isSameDomainConnection(InetAddress remoteInetAddress) {
+ String[] hiveHostSplit = null;
+ if (hiveHost != null) {
+hiveHostSplit = hiveHost.split("\\.");
+ }
+
+ String clientHostName = remoteInetAddress.getCanonicalHostName();
+ String[] clientHostSplit = null;
+ if (clientHostName != null) {
+clientHostSplit = clientHostName.split("\\.");
+ }
+
+ // TODO: the callers should also pass the server address or obtain in by
using some other
+ // method. Then check whether the connection's remote address is from
the same domain as
+ // the server. For now, for the sake of testing, return true. We need
to understand what
+ // exactly it means to have connection from the same domain.
+ // For now, two hosts are in the same domain if the last two parts in
their hostname are same.
+ if (hiveHostSplit.length >= 2 && clientHostSplit.length >= 2) {
Review comment:
As per the latest approach, the trusted domain will be configured and thus
we do not rely on hivehost to know the trusted domain.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 250869)
Time Spent: 1.5h (was: 1h 20m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=250864&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-250864
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 30/May/19 09:48
Start Date: 30/May/19 09:48
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288927071
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -65,6 +70,15 @@ public static TTransportFactory
getPlainTransportFactory(String authTypeStr)
return saslFactory;
}
+ public static TTransportFactory
getDualPlainTransportFactory(TTransportFactory otherTrans,
+ String hiveHost)
+ throws LoginException {
+LOG.info("Created additional transport factory for skipping authentication
when client " +
Review comment:
As per the latest approach, the trusted domain will be configured and thus
we do not rely on hivehost to know the trusted domain. So hiveHost won't be
passed.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 250864)
Time Spent: 1h 10m (was: 1h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=250862&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-250862
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 30/May/19 09:47
Start Date: 30/May/19 09:47
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288926619
##
File path: service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
##
@@ -123,7 +123,7 @@ public HiveAuthFactory(HiveConf conf) throws
TTransportException {
return saslProps;
}
- public TTransportFactory getAuthTransFactory() throws LoginException {
+ public TTransportFactory getAuthTransFactory(String hiveHost) throws
LoginException {
Review comment:
As per the latest approach, the trusted domain will be configured and thus
we do not rely on hivehost to know the trusted domain.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 250862)
Time Spent: 1h (was: 50m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249811&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249811
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 29/May/19 04:44
Start Date: 29/May/19 04:44
Worklog Time Spent: 10m
Work Description: ashutosh-bapat commented on pull request #648:
HIVE-21783: Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288391312
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String hiveHost;
+
+public DualSaslTransportFactory(TTransportFactory otherFactory, String
hiveHost)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.hiveHost = hiveHost;
+}
+
+// Return true if the IP address is from the same domain as the server.
+private boolean isSameDomainConnection(InetAddress remoteInetAddress) {
+ String[] hiveHostSplit = null;
+ if (hiveHost != null) {
+hiveHostSplit = hiveHost.split("\\.");
+ }
+
+ String clientHostName = remoteInetAddress.getCanonicalHostName();
+ String[] clientHostSplit = null;
+ if (clientHostName != null) {
+clientHostSplit = clientHostName.split("\\.");
+ }
+
+ // TODO: the callers should also pass the server address or obtain in by
using some other
+ // method. Then check whether the connection's remote address is from
the same domain as
+ // the server. For now, for the sake of testing, return true. We need
to understand what
+ // exactly it means to have connection from the same domain.
+ // For now, two hosts are in the same domain if the last two parts in
their hostname are same.
+ if (hiveHostSplit.length >= 2 && clientHostSplit.length >= 2) {
+if (hiveHostSplit[0] != null &&
hiveHostSplit[0].equalsIgnoreCase(clientHostSplit[0]) &&
+hiveHostSplit[1] != null &&
hiveHostSplit[1].equalsIgnoreCase(clientHostSplit[1])) {
+ return true;
+}
+ }
+
+ return false;
+}
+
+@Override
+public TTransport getTransport(final TTransport trans) {
+ TSocket tSocket = null;
+ // Attempt to avoid authentication if only we can fetch the client IP
address and it
+ // happens to be from the same domain as the server.
+ if (trans instanceof TSocket) {
+tSocket = (TSocket) trans;
+ } else if (trans instanceof TSaslServerTransport) {
+TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+ }
+ InetAddress remoteAddress = tSocket != null ?
tSocket.getSocket().getInetAddress() : null;
+ if (remoteAddress != null && isSameDomainConnection(remoteAddress)) {
+LOG.info("No authentication performed because the client connection is
from the same " +
Review comment:
Thejas's comment: Add host name of remoteAddress also in the LOG.info output.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 249811)
Time Spent: 50m (was: 40m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249455&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249455
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 28/May/19 16:18
Start Date: 28/May/19 16:18
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288187467
##
File path: service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
##
@@ -123,7 +123,7 @@ public HiveAuthFactory(HiveConf conf) throws
TTransportException {
return saslProps;
}
- public TTransportFactory getAuthTransFactory() throws LoginException {
+ public TTransportFactory getAuthTransFactory(String hiveHost) throws
LoginException {
Review comment:
hiveHost is the host name of HS2. We could either automatically detect this
or we could rename this to "validDomain" as we really just specify here, what
we use to check against with incoming requests.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 249455)
Time Spent: 40m (was: 0.5h)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249453&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249453
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 28/May/19 16:18
Start Date: 28/May/19 16:18
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288188546
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
+TTransportFactory otherFactory;
+TTransportFactory noAuthFactory;
+String hiveHost;
+
+public DualSaslTransportFactory(TTransportFactory otherFactory, String
hiveHost)
+throws LoginException {
+ this.noAuthFactory =
getPlainTransportFactory(AuthMethods.NONE.toString());
+ this.otherFactory = otherFactory;
+ this.hiveHost = hiveHost;
+}
+
+// Return true if the IP address is from the same domain as the server.
+private boolean isSameDomainConnection(InetAddress remoteInetAddress) {
+ String[] hiveHostSplit = null;
+ if (hiveHost != null) {
+hiveHostSplit = hiveHost.split("\\.");
+ }
+
+ String clientHostName = remoteInetAddress.getCanonicalHostName();
+ String[] clientHostSplit = null;
+ if (clientHostName != null) {
+clientHostSplit = clientHostName.split("\\.");
+ }
+
+ // TODO: the callers should also pass the server address or obtain in by
using some other
+ // method. Then check whether the connection's remote address is from
the same domain as
+ // the server. For now, for the sake of testing, return true. We need
to understand what
+ // exactly it means to have connection from the same domain.
+ // For now, two hosts are in the same domain if the last two parts in
their hostname are same.
+ if (hiveHostSplit.length >= 2 && clientHostSplit.length >= 2) {
Review comment:
We should check all parts of the hiveHostSplit. So, if hiveHostSplit
(provided via config) is something like x.example.com, we should ensure that
(only) everything below x.example.com (i.e. das.x.example.com) qualifies
instead of checking just the top two levels (which are probably always cloudera
and com at the final DWX deployment).
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 249453)
Time Spent: 0.5h (was: 20m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249454&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249454
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 28/May/19 16:18
Start Date: 28/May/19 16:18
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288185698
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -75,6 +89,70 @@ private PlainSaslHelper() {
throw new UnsupportedOperationException("Can't initialize class");
}
+ public static final class DualSaslTransportFactory extends TTransportFactory
{
Review comment:
Does this need to be public?
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 249454)
Time Spent: 0.5h (was: 20m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[
https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249452&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249452
]
ASF GitHub Bot logged work on HIVE-21783:
-
Author: ASF GitHub Bot
Created on: 28/May/19 16:18
Start Date: 28/May/19 16:18
Worklog Time Spent: 10m
Work Description: odraese commented on pull request #648: HIVE-21783:
Accept Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r288186125
##
File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
##
@@ -65,6 +70,15 @@ public static TTransportFactory
getPlainTransportFactory(String authTypeStr)
return saslFactory;
}
+ public static TTransportFactory
getDualPlainTransportFactory(TTransportFactory otherTrans,
+ String hiveHost)
+ throws LoginException {
+LOG.info("Created additional transport factory for skipping authentication
when client " +
Review comment:
Maybe we should perform a validation of the input parameters (not null, not
empty host string) here?
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 249452)
Time Spent: 20m (was: 10m)
> Avoid authentication for connection from the same domain
>
>
> Key: HIVE-21783
> URL: https://issues.apache.org/jira/browse/HIVE-21783
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
>Reporter: Ashutosh Bapat
>Assignee: Ashutosh Bapat
>Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user.
> This is similar to NONE authentication but only for the connection from the
> same domain.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
[ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=249093&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249093 ] ASF GitHub Bot logged work on HIVE-21783: - Author: ASF GitHub Bot Created on: 28/May/19 04:24 Start Date: 28/May/19 04:24 Worklog Time Spent: 10m Work Description: ashutosh-bapat commented on pull request #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 249093) Time Spent: 10m Remaining Estimate: 0h > Avoid authentication for connection from the same domain > > > Key: HIVE-21783 > URL: https://issues.apache.org/jira/browse/HIVE-21783 > Project: Hive > Issue Type: New Feature > Components: HiveServer2 >Reporter: Ashutosh Bapat >Assignee: Ashutosh Bapat >Priority: Major > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > When a connection comes from the same domain do not authenticate the user. > This is similar to NONE authentication but only for the connection from the > same domain. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
