prasanthj commented on a change in pull request #648: HIVE-21783: Accept Hive
connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289528707
##########
File path:
service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
##########
@@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request,
HttpServletResponse response)
return;
}
}
- // If the cookie based authentication is already enabled, parse the
- // request and validate the request cookies.
- if (isCookieAuthEnabled) {
- clientUserName = validateCookie(request);
- requireNewCookie = (clientUserName == null);
- if (requireNewCookie) {
- LOG.info("Could not validate cookie sent, will try to generate a new
cookie");
- }
- }
- // If the cookie based authentication is not enabled or the request does
- // not have a valid cookie, use the kerberos or password based
authentication
- // depending on the server setup.
- if (clientUserName == null) {
- // For a kerberos setup
- if (isKerberosAuthMode(authType)) {
- String delegationToken =
request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
- // Each http request must have an Authorization header
- if ((delegationToken != null) && (!delegationToken.isEmpty())) {
- clientUserName = doTokenAuth(request, response);
- } else {
- clientUserName = doKerberosAuth(request);
+
+ clientIpAddress = request.getRemoteAddr();
+ LOG.debug("Client IP Address: " + clientIpAddress);
+ String trustedDomain = HiveConf.getVar(hiveConf,
ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+ // Skip authentication if the connection is from the trusted domain
+ if (!trustedDomain.isEmpty() &&
+ PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(),
trustedDomain)) {
+ LOG.info("No authentication performed because the connecting host " +
request.getRemoteHost() +
Review comment:
We can only support this for non-kerberos auth mode (password based) and
look for "Authorization: Basic" header. Extract the username and discard the
password. If cookie comes along with the request, we can use the username from
the cookie.
My understanding here is that, a new request comes in with "Authorization:
Basic" header, we trust the domain, extract the username from auth header,
generate a cookie and respond with cookie. If a new request comes back with the
cookie, validate the cookie, extract the user name and we are done.
We should set the expectation from clients here in the config description
(whether clients should send basic auth header and that password will be used
if not from trusted domain and for trusted domains password will be discarded).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org
