This is an automated email from the ASF dual-hosted git repository. ngangam pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push: new 280632d HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam) 280632d is described below commit 280632d47f764507b4dcccd524ef8640cc1537b5 Author: saihemanth <saihema...@cloudera.com> AuthorDate: Mon Jul 19 11:33:03 2021 -0700 HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam) --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java | 5 +++++ .../org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index ad60447..ff54593 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -3737,6 +3737,11 @@ public class HiveConf extends Configuration { "The parent node in ZooKeeper used by HiveServer2 when supporting dynamic service discovery."), HIVE_SERVER2_ZOOKEEPER_PUBLISH_CONFIGS("hive.server2.zookeeper.publish.configs", true, "Whether we should publish HiveServer2's configs to ZooKeeper."), + HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER("hive.server2.proxy.trustheader", "", "This config " + + "indicates whether the connection is authenticated before the requests lands on HiveServer2, So that we can" + + "avoid the authentication is again in HS2. Default value is empty, if it's value is set to some header say " + + "'X-Trusted-Proxy-Auth-Header' then we need to look for this header in the connection string, if present " + + "we directly extarct the client name from header."), // HiveServer2 global init file location HIVE_SERVER2_GLOBAL_INIT_FILE_LOCATION("hive.server2.global.init.file.location", "${env:HIVE_CONF_DIR}", diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index f734c40..20274ff 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -222,8 +222,13 @@ public class ThriftHttpServlet extends TServlet { clientUserName = doSamlAuth(request, response); } } else { - // For password based authentication - clientUserName = doPasswdAuth(request, authType); + String proxyHeader = HiveConf.getVar(hiveConf, ConfVars.HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER).trim(); + if (!proxyHeader.equals("") && request.getHeader(proxyHeader) != null) { //Trusted header is present, which means the user is already authorized. + clientUserName = getUsername(request, authType); + } else { + // For password based authentication + clientUserName = doPasswdAuth(request, authType); + } } } }