[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Puneet Gupta updated LENS-1506: --- Fix Version/s: 2.8 > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Fix For: 2.8 > > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506.4.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Puneet Gupta updated LENS-1506: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Fix For: 2.8 > > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506.4.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506.4.patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506.4.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506.3.patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506.2.patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506_patch, > design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506.1.patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Status: Patch Available (was: In Progress) attached patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: (was: Lens-1506.diff) > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506.diff > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506.diff, Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: Lens-1506_patch > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: design3.png > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: (was: design3.png) > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (LENS-1506) Kerberos authentication in lens
[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Kailaswar updated LENS-1506: -- Attachment: design3.png > Kerberos authentication in lens > --- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server >Reporter: Ankit Kailaswar >Assignee: Ankit Kailaswar >Priority: Major > Attachments: design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)