Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-6486

Support secure Subject.doAs() in HiveServer2 JDBC client.

Log workAgile BoardRank to TopRank to BottomVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.11.0, 0.12.0
    • 0.13.0
    • None
    • Hide
      Using Kerberos with Pre-Authenticated Subject:
      In the current approach of using Kerberos you will need to have valid Kerberos ticket in the ticket cache before connecting. This will entail static login(using kinit, key tab or ticketcache) and restriction of one Kerberos user per client. These restrictions will limit the usage in multi-user scenarios and in scenarios where in the client wants to login programmatically to Kerberos KDC. Using proxy users (see https://issues.apache.org/jira/browse/HIVE-5155 ) is one way to mitigate the problem of multi-user scenarios. The other way is to use pre-authenticated subject(see https://issues.apache.org/jira/browse/HIVE-6486 ). In this method, Hive JDBC client uses a pre-authenticated Kerberos Subject to authenticate to HiveServer2. To use pre-authenticated Subject you will need the following changes.

      + Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars (commons-configuration-1.6.jar and hadoop-core*.jar are not required).
      + Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in addition to having the “principal" url property.
      + Open the connection in Subject.doAs()

      The following code snippet illustrates the usage (refer to https://issues.apache.org/jira/browse/HIVE-6486 for complete test case):

      static Connection getConnection( Subject signedOnUserSubject ) throws Exception{

      Connection conn = (Connection) Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>()
      {
      public Object run()
      {
      Connection con = null;
      String JDBC_DB_URL = "jdbc:hive2://HiveHost:10000/default;principal=hive/localhost.localdomain@EXAMPLE.COM;auth=kerberos;kerberosAuthType=fromSubject";
      try {
      Class.forName(JDBC_DRIVER);
      con = DriverManager.getConnection(JDBC_DB_URL);
      } catch (SQLException e) {
      e.printStackTrace();
      } catch (ClassNotFoundException e) {
      e.printStackTrace();
      }
      return con;
      }
      });

      return conn;
      }
      Show
      Using Kerberos with Pre-Authenticated Subject: In the current approach of using Kerberos you will need to have valid Kerberos ticket in the ticket cache before connecting. This will entail static login(using kinit, key tab or ticketcache) and restriction of one Kerberos user per client. These restrictions will limit the usage in multi-user scenarios and in scenarios where in the client wants to login programmatically to Kerberos KDC. Using proxy users (see https://issues.apache.org/jira/browse/HIVE-5155 ) is one way to mitigate the problem of multi-user scenarios. The other way is to use pre-authenticated subject(see https://issues.apache.org/jira/browse/HIVE-6486 ). In this method, Hive JDBC client uses a pre-authenticated Kerberos Subject to authenticate to HiveServer2. To use pre-authenticated Subject you will need the following changes. + Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars (commons-configuration-1.6.jar and hadoop-core*.jar are not required). + Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in addition to having the “principal" url property. + Open the connection in Subject.doAs() The following code snippet illustrates the usage (refer to https://issues.apache.org/jira/browse/HIVE-6486 for complete test case): static Connection getConnection( Subject signedOnUserSubject ) throws Exception{ Connection conn = (Connection) Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>() { public Object run() { Connection con = null; String JDBC_DB_URL = "jdbc: hive2://HiveHost:10000/default;principal=hive/localhost.localdomain@EXAMPLE.COM;auth=kerberos;kerberosAuthType=fromSubject "; try { Class.forName(JDBC_DRIVER); con = DriverManager.getConnection(JDBC_DB_URL); } catch (SQLException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } return con; } }); return conn; }

    Description

      HIVE-5155 addresses the problem of kerberos authentication in multi-user middleware server using proxy user. In this mode the principal used by the middle ware server has privileges to impersonate selected users in Hive/Hadoop.

      This enhancement is to support Subject.doAs() authentication in Hive JDBC layer so that the end users Kerberos Subject is passed through in the middle ware server. With this improvement there won't be any additional setup in the server to grant proxy privileges to some users and there won't be need to specify a proxy user in the JDBC client. This version should also be more secure since it won't require principals with the privileges to impersonate other users in Hive/Hadoop setup.

      Attachments

        1. HIVE-6486_Hive0.11.patch
          7 kB
          Shivaraju Gowda
        2. HIVE-6486.1.patch
          7 kB
          Shivaraju Gowda
        3. HIVE-6486.2.patch
          7 kB
          Shivaraju Gowda
        4. HIVE-6486.3.patch
          7 kB
          Shivaraju Gowda
        5. TestCase_HIVE-6486.java
          4 kB
          Shivaraju Gowda

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            shivshi Shivaraju Gowda Assign to me
            shivshi Shivaraju Gowda
            Votes:
            2 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment