[HIVE-8916] Handle user@domain username under LDAP authentication - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.1.0
Component/s: Authentication
Labels:
- TODOC15

Description

If LDAP is configured with multiple domains for authentication, users can be in different domains.

Currently, LdapAuthenticationProviderImpl blindly appends the domain configured "hive.server2.authentication.ldap.Domain" to the username, which limits user to that domain. However, under multi-domain authentication, the username may already include the domain (ex: user@domain.foo.com). We should not append a domain if one is already present.

Also, if username already includes the domain, rest of Hive and authorization providers still expects the "short name" ("user" and not "user@domain.foo.com") for looking up privilege rules, etc. As such, any domain info in the username should be stripped off.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

HIVE-8916.patch
19/Nov/14 20:54
5 kB
Mohit Sabharwal
HIVE-8916.3.patch
20/Nov/14 21:59
5 kB
Mohit Sabharwal
HIVE-8916.2.patch
20/Nov/14 21:57
3 kB
Mohit Sabharwal

Issue Links

is related to

SENTRY-540 Fix Sentry test validating special chars in username due to HIVE-8916

Resolved

relates to

HIVE-4707 Support configurable domain name for HiveServer2 LDAP authentication using Active Directory

Closed

links to

review board

Activity

People

Assignee:

Mohit Sabharwal

Reporter:

Mohit Sabharwal

Votes:

0 Vote for this issue

Watchers:

8 Start watching this issue

Dates

Created:

19/Nov/14 20:30

Updated:

17/Jul/15 08:01

Resolved:

22/Nov/14 19:09