hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Work logged] (HIVE-21783) Avoid authentication for connection from the same domain
Date Mon, 03 Jun 2019 06:42:00 GMT

     [ https://issues.apache.org/jira/browse/HIVE-21783?focusedWorklogId=252944&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-252944
]

ASF GitHub Bot logged work on HIVE-21783:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Jun/19 06:41
            Start Date: 03/Jun/19 06:41
    Worklog Time Spent: 10m 
      Work Description: ashutosh-bapat commented on pull request #648: HIVE-21783: Accept
Hive connections from the same domain without authentication.
URL: https://github.com/apache/hive/pull/648#discussion_r289704206
 
 

 ##########
 File path: service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
 ##########
 @@ -137,32 +138,47 @@ protected void doPost(HttpServletRequest request, HttpServletResponse
response)
           return;
         }
       }
-      // If the cookie based authentication is already enabled, parse the
-      // request and validate the request cookies.
-      if (isCookieAuthEnabled) {
-        clientUserName = validateCookie(request);
-        requireNewCookie = (clientUserName == null);
-        if (requireNewCookie) {
-          LOG.info("Could not validate cookie sent, will try to generate a new cookie");
-        }
-      }
-      // If the cookie based authentication is not enabled or the request does
-      // not have a valid cookie, use the kerberos or password based authentication
-      // depending on the server setup.
-      if (clientUserName == null) {
-        // For a kerberos setup
-        if (isKerberosAuthMode(authType)) {
-          String delegationToken = request.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
-          // Each http request must have an Authorization header
-          if ((delegationToken != null) && (!delegationToken.isEmpty())) {
-            clientUserName = doTokenAuth(request, response);
-          } else {
-            clientUserName = doKerberosAuth(request);
+
+      clientIpAddress = request.getRemoteAddr();
+      LOG.debug("Client IP Address: " + clientIpAddress);
+      String trustedDomain = HiveConf.getVar(hiveConf, ConfVars.HIVE_SERVER2_TRUST_DOMAIN).trim();
+
+      // Skip authentication if the connection is from the trusted domain
+      if (!trustedDomain.isEmpty() &&
+              PlainSaslHelper.isHostFromTrustedDomain(request.getRemoteHost(), trustedDomain))
{
+        LOG.info("No authentication performed because the connecting host " + request.getRemoteHost()
+
 
 Review comment:
   Thanks for the detailed explanation.
   
   Here's slight explanation for your "We can only support this for non-kerberos auth mode
(password based)".
   We can support this independent of the authentication method configured for the HiveServer2
to which the client is connecting. But the connection from a trusted domain should connect
as if it's connecting with NOSASL in HTTP mode and NONE authentication in binary mode.
   
   This means that when the HS2 is configured to use kerberos, there is no way that a client
can connects from a trusted domain and provides kerberos credentials. It *has to* provide
credentials as if it's a password based authentication (but password will not be used if provided).
Any connection from non-trusted domain should provide kerberos credentials. I think this slight
asymmetry is fine for our use case.
   
   When HS2 is configured to use password based authentication, there's no difference between
a connection from a trusted domain and a connection from non-trusted domain.
   
   Rest of your explanation makes sense. I have changed the code accordingly.
   
   Please let me know if we need any changes to the config description.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 252944)
    Time Spent: 2h 50m  (was: 2h 40m)

> Avoid authentication for connection from the same domain
> --------------------------------------------------------
>
>                 Key: HIVE-21783
>                 URL: https://issues.apache.org/jira/browse/HIVE-21783
>             Project: Hive
>          Issue Type: New Feature
>          Components: HiveServer2
>            Reporter: Ashutosh Bapat
>            Assignee: Ashutosh Bapat
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HIVE-21783.01.patch, HIVE-21801.01.patch
>
>          Time Spent: 2h 50m
>  Remaining Estimate: 0h
>
> When a connection comes from the same domain do not authenticate the user. This is similar
to NONE authentication but only for the connection from the same domain.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message