Thanks Naveen, I missed that HIVE-25875 recently provided explicit multi-AuthN support.
The use case is simple: secured cluster with hive.server2.transport.mode=all for both secured native clients (kerberos) and external clients (user/pass) - KERBEROS is needed for cluster-local (or near-cluster) clients. - LDAP is needed for clients who can do only user/passwd authN - binary transport is the default for both native and external clients - http transport is only for Knox, which is in that case KERBEROS/http For binary transport we were using authnetication=LDAP as this gave us both KERBEROS *_and_* LDAP. For http transport - which would be needed for Knox - authentication=LDAP is exclusive. I thought HIVE-25875 would do something similar for http transport but based on the review comments it wont work, right? I mean authentication 'LDAP,KERBEROS'. Regarding the separated configuration property: the new one could have a valid technical value - which would be the default value for now - meaning if it's set, then just use the value(s) from the other config property. That way it would be backward compatible and in one of the later versions this can be deprecated and the technical 'fallback' value could be removed. R, Janos Naveen Gangam <ngan...@cloudera.com.invalid> ezt írta (időpont: 2022. márc. 28., H, 23:11): > Hi Janos, > LDAP auth works in http mode as well. > > We have made some enhancements recently: > HIveServer2 is now capable of supporting multiple authentication mode. For > example: in http mode, you can set it to "LDAP,SAML" > We have just added another auth mode (JWT) for http transport via > HIVE-25575. So now, we can add "JWT" to this list as well. > > While we have checks to set it to something like "KERBEROS,SAML" (KERBEROS > in binary mode and SAML is http mode only), I understand your general point > about having the ability to use LDAP with binary mode and SAML in http > mode. > > I am not certain this is a huge usecase for us, but if there is general > consensus that we need this, we could create a jira around this. My biggest > concern with the separation of the properties is backward compatibility. > > Thank you > Naveen > > On Mon, Mar 28, 2022 at 4:56 AM Stamatis Zampetakis <zabe...@gmail.com> > wrote: > > > Hey Janos, > > > > You brought up an interesting subject. > > > > I haven't worked on the code around the authentication process so cannot > > foresee the impact on the codebase but high level your idea seems > > reasonable to me. > > > > I would be favorable in such a change but I would definitely like to see > > some tests and documentation come along from the one who pushes this > > forward. > > > > Best, > > Stamatis > > > > On Fri, Mar 18, 2022, 6:40 PM Janos Kovacs <kovja...@gmail.com> wrote: > > > > > Hi, > > > > > > I just found that while HS2 can do authentication with mixed methods - > > like > > > Kerberos+LDAP - it only works with the binary protocol. With the > > transport > > > set to http, the authentication basically works only against what is > set > > by > > > hive.server2.authentication. If e.g. it's set to LDAP, it doesn't try > > other > > > methods, even if the client is sending the Negotiate headers in the > > > request. > > > > > > While this is something that probably could be fixed, I was thinking > > about > > > a quick(er) fix that might sounds just a workaround first, but adding > the > > > fact that HS2 now can do both binary and http transports together > > > (HIVE-5312) and that there are other authentication methods which > support > > > only one type of transports - like SAML works only with http transport > -, > > > this might be a good enhancement by itself: split the > > > hive.server2.authentication between binary and http with introducing > > > hive.server2.http.authentication. > > > > > > If the http transport could be configured independently from the binary > > > transport, then HS2 could run in dual-transport mode, e.g. binary > > offering > > > Kerberos+LDAP while http offering SAML (or any other independent > method). > > > > > > Could you please share your thoughts on splitting the authN method > > between > > > the two transport modes? > > > > > > Thanks, Janos > > > > > >
