> On March 27, 2014, 6:54 a.m., Prasad Mujumdar wrote: > > service/src/java/org/apache/hive/service/cli/CLIService.java, line 96 > > <https://reviews.apache.org/r/19599/diff/3/?file=537238#file537238line96> > > > > Just curious, do the two principals need to be different ? Can't the > > same user run the service as well as authenticate with Knox ? > >
Thanks Prasad for review. Per SPNego prootocol, HTTP Client expects the HTTP Service principal to be of the form HTTP/<HOST>@<DOMAIN>. HTTP/<HOST>@<DOMAIN> principal is used for mutual authentication with HTTP Client. hive/<HOST>@<DOMAIN> is used for mutual authentication with other Hadoop services(non HTTP). > On March 27, 2014, 6:54 a.m., Prasad Mujumdar wrote: > > service/src/java/org/apache/hive/service/cli/CLIService.java, line 106 > > <https://reviews.apache.org/r/19599/diff/3/?file=537238#file537238line106> > > > > Should this throw an exception instead or warning ? This could throw exception if we make SPNego the only supported mutual authentication for HTTP Client. Ar present, we are keeping it optional and continue to support existing non standard Kerberos over HTTP authentication. Hence, warning instead of exception. - dilli ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/19599/#review38701 ----------------------------------------------------------- On March 26, 2014, 2:38 a.m., dilli dorai wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/19599/ > ----------------------------------------------------------- > > (Updated March 26, 2014, 2:38 a.m.) > > > Review request for hive, Ashutosh Chauhan, Thejas Nair, and Vaibhav Gumashta. > > > Bugs: HIVE-6697 > https://issues.apache.org/jira/browse/HIVE-6697 > > > Repository: hive-git > > > Description > ------- > > See JIra for description > https://issues.apache.org/jira/browse/HIVE-6697 > > > Diffs > ----- > > common/src/java/org/apache/hadoop/hive/conf/HiveConf.java affcbb4 > conf/hive-default.xml.template 3c3df43 > service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 6e6a47d > service/src/java/org/apache/hive/service/cli/CLIService.java e31a74e > > service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java > cb01cfd > service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java > 255a165 > shims/0.20/src/main/java/org/apache/hadoop/hive/shims/Hadoop20Shims.java > 9aa555a > > shims/common-secure/src/main/java/org/apache/hadoop/hive/shims/HadoopShimsSecure.java > d4cddda > shims/common/src/main/java/org/apache/hadoop/hive/shims/HadoopShims.java > ed951f1 > > Diff: https://reviews.apache.org/r/19599/diff/ > > > Testing > ------- > > ## Verification of enhancement with Beeline/JDBC > > ### Verified the following calls succeeded getting connection, and listig > tables, > when valid spnego.principal and spengo.keytab are specified in hive-site.xml, > and the client has KINITed and has a valid kerberos ticket in cache > > > !connect > jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice > dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > > !connect > jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice > dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ### Verified the following call succeeded getting connection, and listig > tables, > even if valid spnego.principal or valid spengo.keytab is not specified in > hive-site.xml, > as long as valid hive server2 kerberos principal and keytab are specified in > hive-site.xml, > and the client has KINITed and has a valid kerberos ticket in cache > > !connect > jdbc:hive2://hdps.example.com:10001/default;principal=hive/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice > dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ### Verified the following call failed getting connection, > when valid spnego.principal or valid spengo.keytab is not specified in > hive-site.xml > > !connect > jdbc:hive2://hdps.example.com:10001/default;principal=HTTP/hdps.example....@example.com?hive.server2.transport.mode=http;hive.server2.thrift.http.path=cliservice > dummy dummy-pass org.apache.hive.jdbc.HiveDriver > > ## Verification of enhancement with Apache Knox > > Apache Knox was able to authenticate to hive server 2 as SPNego client using > Apache HttpClient, > and list tables, when correct spnego.principal and spengo.keytab are > specified in hive-site.xml > > Apache Knox was not able to authenticate to hive server 2 as SPNego client > using Apache HttpClient, > when valid spnego.principal or spengo.keytab is not specified in hive-site.xml > > ## Verification of enhancement with curl > > ### when valid spnego.principal and spengo.keytab are specified in > hive-site.xml > and the client has KINITed and has a valid kerberos ticket in cache > > curl -i --negotiate -u : http://hdps.example.com:10001/cliservice > > SPNego authentication succeeded and got a HTTP status code 500, > since we did not end Thrift body content > > ### when valid spnego.principal and spengo.keytab are specified in > hive-site.xml > and the client has not KINITed and does not have a valid kerberos ticket in > cache > > curl -i --negotiate -u : http://hdps.example.com:10001/cliservice > > url -i --negotiate -u : http://hdps.example.com:10001/cliservice > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Negotiate > Content-Type: application/x-thrift;charset=ISO-8859-1 > Content-Length: 69 > Server: Jetty(7.6.0.v20120127) > > Authentication Error: java.lang.reflect.UndeclaredThrowableException > > > Thanks, > > dilli dorai > >
