[hive] branch master updated: HIVE-25349: Skip password auth when trusted header is present in the http request(Saihemanth via Naveen Gangam)

Thu, 18 Nov 2021 07:20:35 -0800 

This is an automated email from the ASF dual-hosted git repository.

ngangam pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 280632d  HIVE-25349: Skip password auth when trusted header is present 
in the http request(Saihemanth via Naveen Gangam)
280632d is described below

commit 280632d47f764507b4dcccd524ef8640cc1537b5
Author: saihemanth <saihema...@cloudera.com>
AuthorDate: Mon Jul 19 11:33:03 2021 -0700

    HIVE-25349: Skip password auth when trusted header is present in the http 
request(Saihemanth via Naveen Gangam)
---
 common/src/java/org/apache/hadoop/hive/conf/HiveConf.java        | 5 +++++
 .../org/apache/hive/service/cli/thrift/ThriftHttpServlet.java    | 9 +++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index ad60447..ff54593 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3737,6 +3737,11 @@ public class HiveConf extends Configuration {
         "The parent node in ZooKeeper used by HiveServer2 when supporting 
dynamic service discovery."),
     
HIVE_SERVER2_ZOOKEEPER_PUBLISH_CONFIGS("hive.server2.zookeeper.publish.configs",
 true,
         "Whether we should publish HiveServer2's configs to ZooKeeper."),
+    HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER("hive.server2.proxy.trustheader", 
"", "This config " +
+            "indicates whether the connection is authenticated before the 
requests lands on HiveServer2, So that we can" +
+            "avoid the authentication is again in HS2. Default value is empty, 
if it's value is set to some header say " +
+            "'X-Trusted-Proxy-Auth-Header' then we need to look for this 
header in the connection string, if present " +
+            "we directly extarct the client name from header."),
 
     // HiveServer2 global init file location
     
HIVE_SERVER2_GLOBAL_INIT_FILE_LOCATION("hive.server2.global.init.file.location",
 "${env:HIVE_CONF_DIR}",
diff --git 
a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java 
b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index f734c40..20274ff 100644
--- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -222,8 +222,13 @@ public class ThriftHttpServlet extends TServlet {
               clientUserName = doSamlAuth(request, response);
             }
           } else {
-            // For password based authentication
-            clientUserName = doPasswdAuth(request, authType);
+            String proxyHeader = HiveConf.getVar(hiveConf, 
ConfVars.HIVE_SERVER2_TRUSTED_PROXY_TRUSTHEADER).trim();
+            if (!proxyHeader.equals("") && request.getHeader(proxyHeader) != 
null) { //Trusted header is present, which means the user is already authorized.
+              clientUserName = getUsername(request, authType);
+            } else {
+              // For password based authentication
+              clientUserName = doPasswdAuth(request, authType);
+            }
           }
         }
       }

Reply via email to