Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-6486

Support secure Subject.doAs() in HiveServer2 JDBC client.

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.11.0, 0.12.0
    • Fix Version/s: 0.13.0
    • Labels:
      None
    • Release Note:
      Hide
      Using Kerberos with Pre-Authenticated Subject:
      In the current approach of using Kerberos you will need to have valid Kerberos ticket in the ticket cache before connecting. This will entail static login(using kinit, key tab or ticketcache) and restriction of one Kerberos user per client. These restrictions will limit the usage in multi-user scenarios and in scenarios where in the client wants to login programmatically to Kerberos KDC. Using proxy users (see https://issues.apache.org/jira/browse/HIVE-5155 ) is one way to mitigate the problem of multi-user scenarios. The other way is to use pre-authenticated subject(see https://issues.apache.org/jira/browse/HIVE-6486 ). In this method, Hive JDBC client uses a pre-authenticated Kerberos Subject to authenticate to HiveServer2. To use pre-authenticated Subject you will need the following changes.

      + Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars (commons-configuration-1.6.jar and hadoop-core*.jar are not required).
      + Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in addition to having the “principal" url property.
      + Open the connection in Subject.doAs()

      The following code snippet illustrates the usage (refer to https://issues.apache.org/jira/browse/HIVE-6486 for complete test case):

      static Connection getConnection( Subject signedOnUserSubject ) throws Exception{

      Connection conn = (Connection) Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>()
      {
      public Object run()
      {
      Connection con = null;
      String JDBC_DB_URL = "jdbc:hive2://HiveHost:10000/default;principal=hive/localhost.localdomain@EXAMPLE.COM;auth=kerberos;kerberosAuthType=fromSubject";
      try {
      Class.forName(JDBC_DRIVER);
      con = DriverManager.getConnection(JDBC_DB_URL);
      } catch (SQLException e) {
      e.printStackTrace();
      } catch (ClassNotFoundException e) {
      e.printStackTrace();
      }
      return con;
      }
      });

      return conn;
      }
      Show
      Using Kerberos with Pre-Authenticated Subject: In the current approach of using Kerberos you will need to have valid Kerberos ticket in the ticket cache before connecting. This will entail static login(using kinit, key tab or ticketcache) and restriction of one Kerberos user per client. These restrictions will limit the usage in multi-user scenarios and in scenarios where in the client wants to login programmatically to Kerberos KDC. Using proxy users (see https://issues.apache.org/jira/browse/HIVE-5155 ) is one way to mitigate the problem of multi-user scenarios. The other way is to use pre-authenticated subject(see https://issues.apache.org/jira/browse/HIVE-6486 ). In this method, Hive JDBC client uses a pre-authenticated Kerberos Subject to authenticate to HiveServer2. To use pre-authenticated Subject you will need the following changes. + Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars (commons-configuration-1.6.jar and hadoop-core*.jar are not required). + Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in addition to having the “principal" url property. + Open the connection in Subject.doAs() The following code snippet illustrates the usage (refer to https://issues.apache.org/jira/browse/HIVE-6486 for complete test case): static Connection getConnection( Subject signedOnUserSubject ) throws Exception{ Connection conn = (Connection) Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>() { public Object run() { Connection con = null; String JDBC_DB_URL = "jdbc: hive2://HiveHost:10000/default;principal=hive/localhost.localdomain@EXAMPLE.COM;auth=kerberos;kerberosAuthType=fromSubject "; try { Class.forName(JDBC_DRIVER); con = DriverManager.getConnection(JDBC_DB_URL); } catch (SQLException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } return con; } }); return conn; }

      Description

      HIVE-5155 addresses the problem of kerberos authentication in multi-user middleware server using proxy user. In this mode the principal used by the middle ware server has privileges to impersonate selected users in Hive/Hadoop.

      This enhancement is to support Subject.doAs() authentication in Hive JDBC layer so that the end users Kerberos Subject is passed through in the middle ware server. With this improvement there won't be any additional setup in the server to grant proxy privileges to some users and there won't be need to specify a proxy user in the JDBC client. This version should also be more secure since it won't require principals with the privileges to impersonate other users in Hive/Hadoop setup.

        Attachments

        1. TestCase_HIVE-6486.java
          4 kB
          Shivaraju Gowda
        2. HIVE-6486_Hive0.11.patch
          7 kB
          Shivaraju Gowda
        3. HIVE-6486.3.patch
          7 kB
          Shivaraju Gowda
        4. HIVE-6486.2.patch
          7 kB
          Shivaraju Gowda
        5. HIVE-6486.1.patch
          7 kB
          Shivaraju Gowda

          Issue Links

            Activity

              People

              • Assignee:
                shivshi Shivaraju Gowda
                Reporter:
                shivshi Shivaraju Gowda
              • Votes:
                2 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: