[
https://issues.apache.org/jira/browse/HIVE-17187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16103740#comment-16103740
]
Eric Yang commented on HIVE-17187:
----------------------------------
See [the
blog|https://developer.ibm.com/hadoop/2016/05/12/hbase-rest-gateway-security/]
written by IBM about SPNEGO for HBase REST API. This is a good source to
implement SPNEGO properly with doAs calls with service principal instead of
proxy user with SPNEGO credential.
> WebHCat SPNEGO support is incompleted
> -------------------------------------
>
> Key: HIVE-17187
> URL: https://issues.apache.org/jira/browse/HIVE-17187
> Project: Hive
> Issue Type: Bug
> Components: WebHCat
> Affects Versions: 1.2.1
> Reporter: Eric Yang
>
> [Some online
> document|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/spnego_setup_for_webhcat.html]
> describes how to setup WebHCat with SPNEGO support. However, there could be
> multiple services use SPNEGO on the same host. For example, HBase REST API
> can also setup to use HTTP principal for SPNEGO support. When HTTP principal
> is shared among other services, Hadoop proxy user settings can not identify
> the origin of doAs call with HTTP principal, is invoked by HBase REST API or
> WebHCat. Ideally, WebHCat should keep track of its own service principal
> independent of SPNEGO principal to ensure that SPNEGO principal is only given
> authentication access. SPNEGO principal should not be used in proxy user
> setting to grant authorization access.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
