hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
Date Mon, 03 Jun 2019 04:46:00 GMT

     [ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252907&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252907
]

ASF GitHub Bot logged work on HIVE-21783:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Jun/19 04:45
            Start Date: 03/Jun/19 04:45
    Worklog Time Spent: 10m 
      Work Description: ashutosh-bapat commented on pull request #648: HIVE-21783: Accept
Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289686372
 
 

 ##########
 File path: service/src/java/org/apache/hive/service/auth/PlainSaslHelper.java
 ##########
 @@ -65,16 +70,65 @@ public static TTransportFactory getPlainTransportFactory(String authTypeStr)
     return saslFactory;
   }
 
+  static TTransportFactory getDualPlainTransportFactory(TTransportFactory otherTrans,
+                                                        String trustedDomain)
+          throws LoginException {
+    LOG.info("Created additional transport factory for skipping authentication when client
" +
+            "connection is from the same domain.");
+    return new DualSaslTransportFactory(otherTrans, trustedDomain);
+  }
+
   public static TTransport getPlainTransport(String username, String password,
     TTransport underlyingTransport) throws SaslException {
     return new TSaslClientTransport("PLAIN", null, null, null, new HashMap<String, String>(),
       new PlainCallbackHandler(username, password), underlyingTransport);
   }
 
+  // Return true if the remote host is from the trusted domain, i.e. host URL has the same
+  // suffix as the trusted domain.
+  static public boolean isHostFromTrustedDomain(String remoteHost, String trustedDomain)
{
+    return remoteHost.endsWith(trustedDomain);
+  }
+
   private PlainSaslHelper() {
     throw new UnsupportedOperationException("Can't initialize class");
   }
 
+  static final class DualSaslTransportFactory extends TTransportFactory {
+    TTransportFactory otherFactory;
+    TTransportFactory noAuthFactory;
+    String trustedDomain;
+
+    DualSaslTransportFactory(TTransportFactory otherFactory, String trustedDomain)
+            throws LoginException {
+      this.noAuthFactory = getPlainTransportFactory(AuthMethods.NONE.toString());
+      this.otherFactory = otherFactory;
+      this.trustedDomain = trustedDomain;
+    }
+
+    @Override
+    public TTransport getTransport(final TTransport trans) {
+      TSocket tSocket = null;
+      // Attempt to avoid authentication if only we can fetch the client IP address and it
+      // happens to be from the same domain as the server.
+      if (trans instanceof TSocket) {
+        tSocket = (TSocket) trans;
+      } else if (trans instanceof TSaslServerTransport) {
+        TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
+        tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
+      }
+      String remoteHost = tSocket != null ?
+              tSocket.getSocket().getInetAddress().getCanonicalHostName() : null;
+      if (remoteHost != null && isHostFromTrustedDomain(remoteHost, trustedDomain))
{
+        LOG.info("No authentication performed because the connecting host " + remoteHost
+ " is " +
+                "from the trusted domain " + trustedDomain);
+        return noAuthFactory.getTransport(trans);
+      } else {
 
 Review comment:
   Right, done.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 252907)
    Time Spent: 2.5h  (was: 2h 20m)

> Avoid authentication for connection from the same domain
> --------------------------------------------------------
>
>                 Key: HIVE-21783
>                 URL: https://issues.apache.org/jira/browse/HIVE-21783
>             Project: Hive
>          Issue Type: New Feature
>          Components: HiveServer2
>            Reporter: Ashutosh Bapat
>            Assignee: Ashutosh Bapat
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user. This is similar
to NONE authentication but only for the connection from the same domain.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message