prasanthj commented on a change in pull request #648: HIVE-21783: Accept Hive connections from the same domain without authentication. URL: https://github.com/apache/hive/pull/648#discussion_r289528707
########## File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java ########## @@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) return; } } - // If the cookie based authentication is already enabled, parse the - // request and validate the request cookies. - if (isCookieAuthEnabled) { - clientUserName = validateCookie(request); - requireNewCookie = (clientUserName == null); - if (requireNewCookie) { - LOG.info("Could not validate cookie sent, will try to generate a new cookie"); - } - } - // If the cookie based authentication is not enabled or the request does - // not have a valid cookie, use the kerberos or password based authentication - // depending on the server setup. - if (clientUserName == null) { - // For a kerberos setup - if (isKerberosAuthMode(authType)) { - String delegationToken = request.getHeader(HIVE_DELEGATION_TOKEN_HEADER); - // Each http request must have an Authorization header - if ((delegationToken != null) && (!delegationToken.isEmpty())) { - clientUserName = doTokenAuth(request, response); - } else { - clientUserName = doKerberosAuth(request); + + clientIpAddress = request.getRemoteAddr(); + LOG.debug("Client IP Address: " + clientIpAddress); + String trustedDomain = HiveConf.getVar(hiveConf, ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim(); + + // Skip authentication if the connection is from the trusted domain + if (!trustedDomain.isEmpty() && + PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(), trustedDomain)) { + LOG.info("No authentication performed because the connecting host " + request.getRemoteHost() + Review comment: We can only support this for non-kerberos auth mode (password based) and look for "Authorization: Basic" header. Extract the username and discard the password. If cookie comes along with the request, we can use the username from the cookie. My understanding here is that, a new request comes in with "Authorization: Basic" header, we trust the domain, extract the username from auth header, generate a cookie and respond with cookie. If a new request comes back with the cookie, validate the cookie, extract the user name and we are done. We should set the expectation from clients here in the config description (whether clients should send basic auth header and that password will be used if not from trusted domain and for trusted domains password will be discarded). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For additional commands, e-mail: gitbox-h...@hive.apache.org