Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Current Lens implementation is broken when we try to enable kerberos authentication in lens as mentioned at https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2 in following ways,
1. openSession REST API fails to create new session for user. Currently it supports only passwd types of authentication.
2. If the underlying hive driver is running with kerberos authentication then driver initialization flow to obtain hive transport for hive driver in lens errors out. Hive server accepts only sasl messages but lens continues using PLAINSASL.
3. If hadoop cluster has kerberos authentication enabled then all hdfs calls (persisting services, all hdfs path in conf etc) fail.
4. Lens as if now doesnt supports refreshing KDC token before it expires.
Changes required in lens to fully support kerberose authentication are as follows,
- lens's hive driver must use SASL for all communication in to kerberozied hive. Current thrift client for hive doesn't support this functionality.
- Lens must refresh KDC ticket before it expires.
- All clients must be authenticated with kerberose authentication before session creation.
- In kerberos mode all hive driver query should be executed with single cluster user as "lens".