Hive
  1. Hive
  2. HIVE-4707

Support configurable domain name for HiveServer2 LDAP authentication using Active Directory

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.11.0
    • Fix Version/s: 0.12.0
    • Component/s: HiveServer2
    • Labels:
      None

      Description

      LDAP providers like Active Directory use a fully qualified user name in user@domain format. For HiveServer2 LDAP auth can be used with active directory by passing the userid in that format. This causes hive authentication module to retrun the username in that mangled format. This prohibits LDAP users to be impersonated over secure hadoop or reported correctly in audit etc.

      HiveServer2 should support a configurable LDAP domain that is appended to the user name.

      1. HIVE-4707-1.patch
        2 kB
        Prasad Mujumdar

        Activity

        Hide
        Ashutosh Chauhan added a comment -

        This issue has been fixed and released as part of 0.12 release. If you find further issues, please create a new jira and link it to this one.

        Show
        Ashutosh Chauhan added a comment - This issue has been fixed and released as part of 0.12 release. If you find further issues, please create a new jira and link it to this one.
        Hide
        Mikhail Antonov added a comment -

        There's email thread regarding LDAP auth for openldap..

        http://osdir.com/ml/general/2013-08/msg42378.html

        Essentially, if baseDN isn't set, then the bind string is formed as follows:

        // setup the security principal
        String bindDN;
        if (baseDN != null)

        { bindDN = "uid=" + user + "," + baseDN; }

        else

        { bindDN = user; }

        There should be some configuration, allowing people to customize this bind string, for example use cn= instead of uid=.

        Can provide a patch if wanted..

        Show
        Mikhail Antonov added a comment - There's email thread regarding LDAP auth for openldap.. http://osdir.com/ml/general/2013-08/msg42378.html Essentially, if baseDN isn't set, then the bind string is formed as follows: // setup the security principal String bindDN; if (baseDN != null) { bindDN = "uid=" + user + "," + baseDN; } else { bindDN = user; } There should be some configuration, allowing people to customize this bind string, for example use cn= instead of uid=. Can provide a patch if wanted..
        Hide
        Prasad Mujumdar added a comment -

        Thanks Ashutosh!

        Show
        Prasad Mujumdar added a comment - Thanks Ashutosh!
        Hide
        Ashutosh Chauhan added a comment -

        Committed to trunk. Thanks, Prasad!

        Show
        Ashutosh Chauhan added a comment - Committed to trunk. Thanks, Prasad!
        Hide
        Ashutosh Chauhan added a comment -

        +1

        Show
        Ashutosh Chauhan added a comment - +1
        Hide
        Prasad Mujumdar added a comment -

        Ashutosh Chauhan Thanks for the feedback.
        yes, the mangled name (eg foo@bar) works as far as the authentication is concerned. In that case, HiveServer sees the user name as foo@bar instead of foo. That makes supporting things like bridging LDAP authentication with kerberos impersonation hard. This is a pretty common usecase to have hiveserver2 as a gateway to connect secure hadoop using a non-kerberos authentication mechanism. Due to this username format, you can't make it work with Active Directory.
        Besides it a minor usability issue ...

        Show
        Prasad Mujumdar added a comment - Ashutosh Chauhan Thanks for the feedback. yes, the mangled name (eg foo@bar) works as far as the authentication is concerned. In that case, HiveServer sees the user name as foo@bar instead of foo. That makes supporting things like bridging LDAP authentication with kerberos impersonation hard. This is a pretty common usecase to have hiveserver2 as a gateway to connect secure hadoop using a non-kerberos authentication mechanism. Due to this username format, you can't make it work with Active Directory. Besides it a minor usability issue ...
        Hide
        Ashutosh Chauhan added a comment -

        One option was to use username like foo@bar.com ie, append domain name with username, since only thing patch does is append domain to username. Not saying this is a better approach, but thought you may have already tried this. Did that result in any issue?

        Show
        Ashutosh Chauhan added a comment - One option was to use username like foo@bar.com ie, append domain name with username, since only thing patch does is append domain to username. Not saying this is a better approach, but thought you may have already tried this. Did that result in any issue?
        Hide
        Prasad Mujumdar added a comment -
        Show
        Prasad Mujumdar added a comment - Review request on https://reviews.apache.org/r/11793/

          People

          • Assignee:
            Prasad Mujumdar
            Reporter:
            Prasad Mujumdar
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development