[
https://issues.apache.org/jira/browse/HIVE-29639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
KWON BYUNGCHANG updated HIVE-29639:
-----------------------------------
Description:
h2. Problem
In a Kerberized cluster, the HS2 WebUI is typically protected with
SPNEGO (`hive.server2.webui.use.spnego` + keytab/principal). SPNEGO
works fine for command-line / Kerberos clients, but in a browser it is
clunky: end users need a working Kerberos ticket cache on their
workstation, the browser has to be whitelisted for the SPNEGO domain,
and there is no clean way to plug the UI into an organisation's
broader SSO flow.
Elsewhere in the Hadoop ecosystem, this gap is commonly closed by
KnoxSSO in front of Kerberized NameNode / YARN ResourceManager /
Oozie UIs so end users get a single browser SSO experience instead of
raw SPNEGO, while the services themselves stay Kerberized.
HS2 cannot join that story today. There is no supported way to insert
a custom `javax.servlet.Filter` into the WebUI servlet pipeline, so
operators either live with browser SPNEGO
h2. Proposal
Add a configurable `javax.servlet.Filter` slot to the WebUI, mirroring
Spark's `spark.ui.filters`. Any `Filter` can then be
installed via configuration alone, with no code changes
h2. Example (KnoxSSO)
{noformat}
hive.server2.webui.auth.method=CUSTOM
hive.server2.webui.custom.auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter
hive.server2.webui.custom.auth.filter.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
hive.server2.webui.custom.auth.filter.alt-kerberos.non-browser.user-agents=${hadoop.http.authentication.alt-kerberos.non-browser.user-agents}
hive.server2.webui.custom.auth.filter.signer.secret.provider=${hadoop.http.authentication.signer.secret.provider}
hive.server2.webui.custom.auth.filter.signature.secret.file=${hadoop.http.authentication.signature.secret.file}
hive.server2.webui.custom.auth.filter.authentication.provider.url=${hadoop.http.authentication.authentication.provider.url}
hive.server2.webui.custom.auth.filter.public.key.pem=${hadoop.http.authentication.public.key.pem}
{noformat}
was:
h2. Problem
In a Kerberized cluster, the HS2 WebUI is typically protected with
SPNEGO (`hive.server2.webui.use.spnego` + keytab/principal). SPNEGO
works fine for command-line / Kerberos clients, but in a browser it is
clunky: end users need a working Kerberos ticket cache on their
workstation, the browser has to be whitelisted for the SPNEGO domain,
and there is no clean way to plug the UI into an organisation's
broader SSO flow.
Elsewhere in the Hadoop ecosystem, this gap is commonly closed by
KnoxSSO in front of Kerberized NameNode / YARN ResourceManager /
Oozie UIs so end users get a single browser SSO experience instead of
raw SPNEGO, while the services themselves stay Kerberized.
HS2 cannot join that story today. There is no supported way to insert
a custom `javax.servlet.Filter` into the WebUI servlet pipeline, so
operators either live with browser SPNEGO
h2. Proposal
Add a configurable `javax.servlet.Filter` slot to the WebUI, mirroring
Spark's `spark.ui.filters`. Any `Filter` can then be
installed via configuration alone, with no code changes
h2. Example (KnoxSSO)
{noformat}
hive.server2.webui.use.custom.auth.filter=true
hive.server2.webui.custom.auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter
hive.server2.webui.custom.auth.filter.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
hive.server2.webui.custom.auth.filter.alt-kerberos.non-browser.user-agents=${hadoop.http.authentication.alt-kerberos.non-browser.user-agents}
hive.server2.webui.custom.auth.filter.signer.secret.provider=${hadoop.http.authentication.signer.secret.provider}
hive.server2.webui.custom.auth.filter.signature.secret.file=${hadoop.http.authentication.signature.secret.file}
hive.server2.webui.custom.auth.filter.authentication.provider.url=${hadoop.http.authentication.authentication.provider.url}
hive.server2.webui.custom.auth.filter.public.key.pem=${hadoop.http.authentication.public.key.pem}
{noformat}
> Support a pluggable authentication filter for the HiveServer2 WebUI
> -------------------------------------------------------------------
>
> Key: HIVE-29639
> URL: https://issues.apache.org/jira/browse/HIVE-29639
> Project: Hive
> Issue Type: Improvement
> Reporter: KWON BYUNGCHANG
> Assignee: KWON BYUNGCHANG
> Priority: Major
> Labels: pull-request-available
>
> h2. Problem
> In a Kerberized cluster, the HS2 WebUI is typically protected with
> SPNEGO (`hive.server2.webui.use.spnego` + keytab/principal). SPNEGO
> works fine for command-line / Kerberos clients, but in a browser it is
> clunky: end users need a working Kerberos ticket cache on their
> workstation, the browser has to be whitelisted for the SPNEGO domain,
> and there is no clean way to plug the UI into an organisation's
> broader SSO flow.
> Elsewhere in the Hadoop ecosystem, this gap is commonly closed by
> KnoxSSO in front of Kerberized NameNode / YARN ResourceManager /
> Oozie UIs so end users get a single browser SSO experience instead of
> raw SPNEGO, while the services themselves stay Kerberized.
> HS2 cannot join that story today. There is no supported way to insert
> a custom `javax.servlet.Filter` into the WebUI servlet pipeline, so
> operators either live with browser SPNEGO
> h2. Proposal
> Add a configurable `javax.servlet.Filter` slot to the WebUI, mirroring
> Spark's `spark.ui.filters`. Any `Filter` can then be
> installed via configuration alone, with no code changes
> h2. Example (KnoxSSO)
> {noformat}
> hive.server2.webui.auth.method=CUSTOM
> hive.server2.webui.custom.auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter
> hive.server2.webui.custom.auth.filter.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
> hive.server2.webui.custom.auth.filter.alt-kerberos.non-browser.user-agents=${hadoop.http.authentication.alt-kerberos.non-browser.user-agents}
> hive.server2.webui.custom.auth.filter.signer.secret.provider=${hadoop.http.authentication.signer.secret.provider}
> hive.server2.webui.custom.auth.filter.signature.secret.file=${hadoop.http.authentication.signature.secret.file}
> hive.server2.webui.custom.auth.filter.authentication.provider.url=${hadoop.http.authentication.authentication.provider.url}
> hive.server2.webui.custom.auth.filter.public.key.pem=${hadoop.http.authentication.public.key.pem}
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
