[ https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ankit Kailaswar updated LENS-1506: ---------------------------------- Attachment: Lens-1506.3.patch > Kerberos authentication in lens > ------------------------------- > > Key: LENS-1506 > URL: https://issues.apache.org/jira/browse/LENS-1506 > Project: Apache Lens > Issue Type: Improvement > Components: client, driver-hive, python-client, server > Reporter: Ankit Kailaswar > Assignee: Ankit Kailaswar > Priority: Major > Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch, > Lens-1506_patch, design3.png > > > Current Lens implementation is broken when we try to enable kerberos > authentication in lens as mentioned at > [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in > following ways, > 1. openSession REST API fails to create new session for user. Currently it > supports only passwd types of authentication. > 2. If the underlying hive driver is running with kerberos authentication then > driver initialization flow to obtain hive transport for hive driver in lens > errors out. Hive server accepts only sasl messages but lens continues using > PLAINSASL. > 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls > (persisting services, all hdfs path in conf etc) fail. > 4. Lens as if now doesnt supports refreshing KDC token before it expires. > Changes required in lens to fully support kerberose authentication are as > follows, > # lens's hive driver must use SASL for all communication in to kerberozied > hive. Current thrift client for hive doesn't support this functionality. > # Lens must refresh KDC ticket before it expires. > # All clients must be authenticated with kerberose authentication before > session creation. > # In kerberos mode all hive driver query should be executed with single > cluster user as "lens". -- This message was sent by Atlassian JIRA (v7.6.3#76005)