[
https://issues.apache.org/jira/browse/HIVE-16529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139440#comment-16139440
]
Eric Yang commented on HIVE-16529:
----------------------------------
JPAM user account expiration issue can easily work around by applying this
patch to JPAM:
{code}
--- jpam/jpam/src/c/Pam.c 2005-06-14 20:02:36.000000000 -0700
+++ ../../jpam/jpam/jpam/src/c/Pam.c 2017-08-23 18:20:09.000000000 -0700
@@ -151,6 +151,9 @@
printf("***Sending password\n");
reply[replies].resp = COPY_STRING(password);
}
+ if (msg[replies]->msg_style==4) {
+ reply[replies].resp = NULL;
+ }
if (debug)
printf("***Response to PAM is: |%s|\n", reply[replies].resp);
}
{code}
This might be a workaround solution instead of replacing JPAM with libpam4j.
> Replace JPAM with libpam4j for PAM authentication
> -------------------------------------------------
>
> Key: HIVE-16529
> URL: https://issues.apache.org/jira/browse/HIVE-16529
> Project: Hive
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: 1.2.0
> Reporter: Richard Ding
> Assignee: Sailaja Navvluru
>
> PAM authentication is an important feature available since Hive 0.13. But
> Hive blog gives the following warnings:
> {quote}
> JPAM library that is used to provide the PAM authentication mode can cause
> HiveServer2 to go down if a user's password has expired. This happens because
> of segfault/core dumps from native code invoked by JPAM. Some users have also
> reported crashes during logins in other cases as well. Use of LDAP or
> KERBEROS is recommended.
> {quote}
> JPAM also requires user to install a native library. Furthermore, JPAM
> library seems not to have been updated since 2007.
> Other Apache projects (e.g. Ambari/Ranger/Knox) use a newer library libpam4j
> which doesn't require installation of native library.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
