Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-5155

Support secure proxy user access to HiveServer2

    XMLWordPrintableJSON

Details

    Description

      The HiveServer2 can authenticate a client using via Kerberos and impersonate the connecting user with underlying secure hadoop. This becomes a gateway for a remote client to access secure hadoop cluster. Now this works fine for when the client obtains Kerberos ticket and directly connects to HiveServer2. There's another big use case for middleware tools where the end user wants to access Hive via another server. For example Oozie action or Hue submitting queries or a BI tool server accessing to HiveServer2. In these cases, the third party server doesn't have end user's Kerberos credentials and hence it can't submit queries to HiveServer2 on behalf of the end user.

      This ticket is for enabling proxy access to HiveServer2 for third party tools on behalf of end users. There are two parts of the solution proposed in this ticket:
      1) Delegation token based connection for Oozie (OOZIE-1457)
      This is the common mechanism for Hadoop ecosystem components. Hive Remote Metastore and HCatalog already support this. This is suitable for tool like Oozie that submits the MR jobs as actions on behalf of its client. Oozie already uses similar mechanism for Metastore/HCatalog access.

      2) Direct proxy access for privileged hadoop users
      The delegation token implementation can be a challenge for non-hadoop (especially non-java) components. This second part enables a privileged user to directly specify an alternate session user during the connection. If the connecting user has hadoop level privilege to impersonate the requested userid, then HiveServer2 will run the session as that requested user. For example, user Hue is allowed to impersonate user Bob (via core-site.xml proxy user configuration). Then user Hue can connect to HiveServer2 and specify Bob as session user via a session property. HiveServer2 will verify Hue's proxy user privilege and then impersonate user Bob instead of Hue. This will enable any third party tool to impersonate alternate userid without having to implement delegation token connection.

      Attachments

        1. HIVE-5155.1.patch
          349 kB
          Prasad Suresh Mujumdar
        2. HIVE-5155.2.patch
          349 kB
          Prasad Suresh Mujumdar
        3. HIVE-5155.3.patch
          349 kB
          Prasad Suresh Mujumdar
        4. HIVE-5155.4.patch
          389 kB
          Prasad Suresh Mujumdar
        5. HIVE-5155.5.patch
          389 kB
          Prasad Suresh Mujumdar
        6. HIVE-5155-1-nothrift.patch
          45 kB
          Prasad Suresh Mujumdar
        7. HIVE-5155-noThrift.2.patch
          45 kB
          Prasad Suresh Mujumdar
        8. HIVE-5155-noThrift.4.patch
          43 kB
          Prasad Suresh Mujumdar
        9. HIVE-5155-noThrift.5.patch
          60 kB
          Prasad Suresh Mujumdar
        10. HIVE-5155-noThrift.6.patch
          62 kB
          Prasad Suresh Mujumdar
        11. HIVE-5155-noThrift.7.patch
          82 kB
          Prasad Suresh Mujumdar
        12. HIVE-5155-noThrift.8.patch
          82 kB
          Prasad Suresh Mujumdar
        13. ProxyAuth.java
          12 kB
          Prasad Suresh Mujumdar
        14. ProxyAuth.out
          13 kB
          Prasad Suresh Mujumdar
        15. TestKERBEROS_Hive_JDBC.java
          5 kB
          Shivaraju Gowda

        Issue Links

          blocks

          Sub-task - The sub-task of the issue HIVE-6625 HiveServer2 running in http mode should support trusted proxy access

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. OOZIE-1457 Create a Hive Server 2 action

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-13169 HiveServer2: Support delegation token based connection when using http transport

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-21247 Webhcat beeline in secure mode

          • Major - Major loss of function.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-6486 Support secure Subject.doAs() in HiveServer2 JDBC client.

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-6738 HiveServer2 secure Thrift/HTTP needs to accept doAs parameter from proxying intermediary

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link ReviewBoard #13845

          Activity

            People

              prasadm Prasad Suresh Mujumdar
              prasadm Prasad Suresh Mujumdar
              Votes:
              2 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: