[
https://issues.apache.org/jira/browse/LENS-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankit Kailaswar updated LENS-1506:
----------------------------------
Attachment: Lens-1506.4.patch
> Kerberos authentication in lens
> -------------------------------
>
> Key: LENS-1506
> URL: https://issues.apache.org/jira/browse/LENS-1506
> Project: Apache Lens
> Issue Type: Improvement
> Components: client, driver-hive, python-client, server
> Reporter: Ankit Kailaswar
> Assignee: Ankit Kailaswar
> Priority: Major
> Attachments: Lens-1506.1.patch, Lens-1506.2.patch, Lens-1506.3.patch,
> Lens-1506.4.patch, Lens-1506_patch, design3.png
>
>
> Current Lens implementation is broken when we try to enable kerberos
> authentication in lens as mentioned at
> [https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2] in
> following ways,
> 1. openSession REST API fails to create new session for user. Currently it
> supports only passwd types of authentication.
> 2. If the underlying hive driver is running with kerberos authentication then
> driver initialization flow to obtain hive transport for hive driver in lens
> errors out. Hive server accepts only sasl messages but lens continues using
> PLAINSASL.
> 3. If hadoop cluster has kerberos authentication enabled then all hdfs calls
> (persisting services, all hdfs path in conf etc) fail.
> 4. Lens as if now doesnt supports refreshing KDC token before it expires.
> Changes required in lens to fully support kerberose authentication are as
> follows,
> # lens's hive driver must use SASL for all communication in to kerberozied
> hive. Current thrift client for hive doesn't support this functionality.
> # Lens must refresh KDC ticket before it expires.
> # All clients must be authenticated with kerberose authentication before
> session creation.
> # In kerberos mode all hive driver query should be executed with single
> cluster user as "lens".
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
