Details

      Description

      Current Lens implementation is broken when we try to enable kerberos authentication in lens as mentioned at https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2 in following ways,
      1. openSession REST API fails to create new session for user. Currently it supports only passwd types of authentication.

      2. If the underlying hive driver is running with kerberos authentication then driver initialization flow to obtain hive transport for hive driver in lens errors out. Hive server accepts only sasl messages but lens continues using PLAINSASL.

      3. If hadoop cluster has kerberos authentication enabled then all hdfs calls (persisting services, all hdfs path in conf etc) fail.
      4. Lens as if now doesnt supports refreshing KDC token before it expires.

      Changes required in lens to fully support kerberose authentication are as follows,

      1. lens's hive driver must use SASL for all communication in to kerberozied hive. Current thrift client for hive doesn't support this functionality.
      2. Lens must refresh KDC ticket before it expires.
      3. All clients must be authenticated with kerberose authentication before session creation.
      4. In kerberos mode all hive driver query should be executed with single cluster user as "lens".

        Attachments

        1. Lens-1506.4.patch
          27 kB
          Ankit Kailaswar
        2. Lens-1506.3.patch
          27 kB
          Ankit Kailaswar
        3. Lens-1506.2.patch
          27 kB
          Ankit Kailaswar
        4. Lens-1506.1.patch
          27 kB
          Ankit Kailaswar
        5. Lens-1506_patch
          23 kB
          Ankit Kailaswar
        6. design3.png
          1.40 MB
          Ankit Kailaswar

          Activity

            People

            • Assignee:
              ankitkailaswar Ankit Kailaswar
              Reporter:
              ankitkailaswar Ankit Kailaswar
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: