[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=726145=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-726145
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 14/Feb/22 07:06
Start Date: 14/Feb/22 07:06
Worklog Time Spent: 10m
Work Description: saihemanth-cloudera closed pull request #2954:
URL: https://github.com/apache/hive/pull/2954
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 726145)
Time Spent: 1h 10m (was: 1h)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization header in the
> request.
> Similarly, we could be able to support JWT support or other forms of boundary
> authentication that is done outside of Hive (This is not in the scope of this
> jira).
> *The current scope of the Jira:* Support SAML and LDAP authentication modes
> simultaneously when the transport mode is set to *HTTP.* This multi-auth will
> not work when transport mode is set to {_}binary or all{_}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=720036=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-720036
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 03/Feb/22 11:21
Start Date: 03/Feb/22 11:21
Worklog Time Spent: 10m
Work Description: nrg4878 commented on pull request #2954:
URL: https://github.com/apache/hive/pull/2954#issuecomment-1028883535
Fix has been merged to master. Please close the PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 720036)
Time Spent: 1h (was: 50m)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization header in the
> request.
> Similarly, we could be able to support JWT support or other forms of boundary
> authentication that is done outside of Hive (This is not in the scope of this
> jira).
> *The current scope of the Jira:* Support SAML and LDAP authentication modes
> simultaneously when the transport mode is set to *HTTP.* This multi-auth will
> not work when transport mode is set to {_}binary or all{_}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=719590=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-719590
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 02/Feb/22 19:26
Start Date: 02/Feb/22 19:26
Worklog Time Spent: 10m
Work Description: nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797943031
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
// check if this request needs a SAML redirect
-if (needsRedirect(request, response)) {
+String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+if ((authHeader == null || authHeader.isEmpty()) &&
needsRedirect(request, response)) {
doSamlRedirect(request, response);
return;
+} else
if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+ //LDAP Authentication if the header starts with Basic
+ clientUserName = doPasswdAuth(request,
HiveAuthConstants.AuthTypes.NONE.toString());
Review comment:
@hsnusonic to answer your question, yes. This should be the first check
in the authentication process. We dont expect this trust header to exist in
many scenarios. Sai will be looking to rearrange the code upstream.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 719590)
Time Spent: 50m (was: 40m)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization header in the
> request.
> Similarly, we could be able to support JWT support or other forms of boundary
> authentication that is done outside of Hive (This is not in the scope of this
> jira).
> *The current scope of the Jira:* Support SAML and LDAP authentication modes
> simultaneously when the transport mode is set to *HTTP.* This multi-auth will
> not work when transport mode is set to {_}binary or all{_}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=719026=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-719026
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 01/Feb/22 21:46
Start Date: 01/Feb/22 21:46
Worklog Time Spent: 10m
Work Description: nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797056288
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
// check if this request needs a SAML redirect
-if (needsRedirect(request, response)) {
+String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+if ((authHeader == null || authHeader.isEmpty()) &&
needsRedirect(request, response)) {
doSamlRedirect(request, response);
return;
+} else
if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+ //LDAP Authentication if the header starts with Basic
+ clientUserName = doPasswdAuth(request,
HiveAuthConstants.AuthTypes.NONE.toString());
Review comment:
so HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER is for scenarios when the
authentication is performed at a boundary service like knox/sidecars etc. After
the auth is performed, the authenticator will add this TRUST header into the
request and along with the username and forward the request to the service.
HS2 will trust that the authentication has already been done and relies on
it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 719026)
Time Spent: 40m (was: 0.5h)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization Header in the
> request. Similarly we could be able to support JWT support or other forms of
> boundary authentication that is done outside of Hive.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=719020=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-719020
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 01/Feb/22 21:43
Start Date: 01/Feb/22 21:43
Worklog Time Spent: 10m
Work Description: nrg4878 commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r797053517
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
Review comment:
so we have had trouble supporting kerberos + other forms of
authentication in parallel. So the plan is to NOT support parallel auth forms
when it is KERBEROS.
Initially, in http mode, it will be LDAP/SAML/JWT in parallel.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 719020)
Time Spent: 0.5h (was: 20m)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization Header in the
> request. Similarly we could be able to support JWT support or other forms of
> boundary authentication that is done outside of Hive.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[
https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=718941=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-718941
]
ASF GitHub Bot logged work on HIVE-25875:
-
Author: ASF GitHub Bot
Created on: 01/Feb/22 19:52
Start Date: 01/Feb/22 19:52
Worklog Time Spent: 10m
Work Description: hsnusonic commented on a change in pull request #2954:
URL: https://github.com/apache/hive/pull/2954#discussion_r796941624
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
Review comment:
If `authType` contains `"KERBEROS"`, then this condition block will
never be executed. Was the plan to support kerberos and SAML in the same time?
##
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##
@@ -214,9 +214,13 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
}
} else if (HiveSamlUtils.isSamlAuthMode(authType)) {
// check if this request needs a SAML redirect
-if (needsRedirect(request, response)) {
+String authHeader = request.getHeader(HttpAuthUtils.AUTHORIZATION);
+if ((authHeader == null || authHeader.isEmpty()) &&
needsRedirect(request, response)) {
doSamlRedirect(request, response);
return;
+} else
if(authHeader.toLowerCase().startsWith(HttpAuthUtils.BASIC.toLowerCase())) {
+ //LDAP Authentication if the header starts with Basic
+ clientUserName = doPasswdAuth(request,
HiveAuthConstants.AuthTypes.NONE.toString());
Review comment:
Do we need to handle the case that
`HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER` is present?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
---
Worklog Id: (was: 718941)
Time Spent: 20m (was: 10m)
> Support multiple authentication mechanisms simultaneously
> --
>
> Key: HIVE-25875
> URL: https://issues.apache.org/jira/browse/HIVE-25875
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
>Affects Versions: 3.1.0
>Reporter: Naveen Gangam
>Assignee: Sai Hemanth Gantasala
>Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, HS2 supports a single form of auth on any given instance of
> HiveServer2. Hive should be able to support multiple auth mechanisms on a
> single instance especially with http transport. for example, LDAP and SAML.
> In both cases, HS2 ends up with receiving an Authorization Header in the
> request. Similarly we could be able to support JWT support or other forms of
> boundary authentication that is done outside of Hive.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Work logged] (HIVE-25875) Support multiple authentication mechanisms simultaneously
[ https://issues.apache.org/jira/browse/HIVE-25875?focusedWorklogId=711540=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-711540 ] ASF GitHub Bot logged work on HIVE-25875: - Author: ASF GitHub Bot Created on: 19/Jan/22 18:20 Start Date: 19/Jan/22 18:20 Worklog Time Spent: 10m Work Description: saihemanth-cloudera opened a new pull request #2954: URL: https://github.com/apache/hive/pull/2954 ### What changes were proposed in this pull request? Introduction multi-authentication support SAML/LDAP in Hive ### Why are the changes needed? So that users can connect to Hive either using SAML or LDAP concurrently. ### Does this PR introduce _any_ user-facing change? The config: hive.server2.authentication can take comma-separated value SAML,LDAP. Previously it would only take either SAML or LDAP. ### How was this patch tested? Local machine, Remote cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 711540) Remaining Estimate: 0h Time Spent: 10m > Support multiple authentication mechanisms simultaneously > -- > > Key: HIVE-25875 > URL: https://issues.apache.org/jira/browse/HIVE-25875 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 3.1.0 >Reporter: Naveen Gangam >Assignee: Sai Hemanth Gantasala >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > Currently, HS2 supports a single form of auth on any given instance of > HiveServer2. Hive should be able to support multiple auth mechanisms on a > single instance especially with http transport. for example, LDAP and SAML. > In both cases, HS2 ends up with receiving an Authorization Header in the > request. Similarly we could be able to support JWT support or other forms of > boundary authentication that is done outside of Hive. -- This message was sent by Atlassian Jira (v8.20.1#820001)
