[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15311165#comment-15311165 ] Sushanth Sowmyan commented on HIVE-13418: - Marking fix version per Lefty's comment above. > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Fix For: 2.1.0 > > Attachments: HIVE-13418.1.patch > > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object only the IP address of the proxy, and > not the end user. > For auditing purposes, the IP address of the end user and any proxies in > between are useful. > HiveServer2 should pass the information from 'X-Forwarded-Host' header to > the HiveAuthorizer plugins. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15311171#comment-15311171 ] Sushanth Sowmyan commented on HIVE-13418: - ([~thejas], if there is any work remaining on this bug, please open a further new jira for it.) > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Fix For: 2.1.0 > > Attachments: HIVE-13418.1.patch > > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object only the IP address of the proxy, and > not the end user. > For auditing purposes, the IP address of the end user and any proxies in > between are useful. > HiveServer2 should pass the information from 'X-Forwarded-Host' header to > the HiveAuthorizer plugins. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15233229#comment-15233229 ] ASF GitHub Bot commented on HIVE-13418: --- GitHub user thejasmn opened a pull request: https://github.com/apache/hive/pull/69 HIVE-13418 You can merge this pull request into a Git repository by running: $ git pull https://github.com/thejasmn/hive HIVE-13418 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/hive/pull/69.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #69 commit 9afad78243c0eeedd7571ac7961f177ebf20e771 Author: Thejas Nair Date: 2016-04-08T06:35:25Z set x-forwarded-for commit 400406a0765253f14e570061375923431d7f304c Author: Thejas Nair Date: 2016-04-08T06:38:02Z set forwarded address in HiveAuthzContext commit ef438d7498cac59a665b92c5d3e5fffb6bbdac19 Author: Thejas Nair Date: 2016-04-08T21:23:55Z add test in TestThriftHttpCLIService commit a475bf1d077acf7335f4efcbcdd6bce7e75017fb Author: Thejas Nair Date: 2016-04-08T21:47:34Z rename impls of ThriftCLIServiceTest commit eb6982c9f013f02df26ff7ea8d78e658224c4f95 Author: Thejas Nair Date: 2016-04-08T21:48:38Z reorganize ThriftCLIServiceTest tests commit a3cac6ef692dcd1c89405e0cead4a0d949613122 Author: Thejas Nair Date: 2016-04-08T21:53:47Z rename test class commit e31cd18d7fd9be2ba0373949fa2e39d19a4aa943 Author: Thejas Nair Date: 2016-04-08T21:53:58Z new classname commit c48a21fab62f11f17213f2680cd414e69e155398 Author: Thejas Nair Date: 2016-04-09T00:17:55Z test now checks the forwarded ips passed on commit 131cd7208cc8e244a312253d63a250d7541f0a90 Author: Thejas Nair Date: 2016-04-09T00:19:04Z fix test imports commit ac227e05d931a906987a53cfcccf31b37fa8b95e Author: Thejas Nair Date: 2016-04-09T00:40:07Z fix test compile, post rebase > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object is the IP address of the proxy, and > not the end user. > For auditing and authorization purposes, the IP address of the end use is > more meaningful. > HiveServer2 should pass the information from 'X-Forwarded-Host' header to > the HiveAuthorizer plugins if the request is coming from a trusted proxy. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15235399#comment-15235399 ] Hive QA commented on HIVE-13418: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12797835/HIVE-13418.1.patch {color:green}SUCCESS:{color} +1 due to 4 test(s) being added or modified. {color:red}ERROR:{color} -1 due to 29 failed/errored test(s), 9918 tests executed *Failed tests:* {noformat} TestMiniTezCliDriver-schema_evol_orc_acidvec_mapwork_part.q-vector_partitioned_date_time.q-vector_non_string_partition.q-and-12-more - did not produce a TEST-*.xml file TestMiniTezCliDriver-vector_acid3.q-vector_decimal_trailing.q-lvj_mapjoin.q-and-12-more - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_index_bitmap3 org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_dyn_part_max org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskSchedulerService.testForcedLocalityPreemption org.apache.hadoop.hive.metastore.TestFilterHooks.org.apache.hadoop.hive.metastore.TestFilterHooks org.apache.hadoop.hive.metastore.TestMetaStoreInitListener.testMetaStoreInitListener org.apache.hadoop.hive.metastore.TestPartitionNameWhitelistValidation.testAppendPartitionWithCommas org.apache.hadoop.hive.metastore.TestPartitionNameWhitelistValidation.testAppendPartitionWithValidCharacters org.apache.hadoop.hive.metastore.TestRemoteUGIHiveMetaStoreIpAddress.testIpAddress org.apache.hadoop.hive.ql.security.TestClientSideAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestExtendedAcls.org.apache.hadoop.hive.ql.security.TestExtendedAcls org.apache.hadoop.hive.ql.security.TestFolderPermissions.org.apache.hadoop.hive.ql.security.TestFolderPermissions org.apache.hadoop.hive.ql.security.TestMetastoreAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener.org.apache.hadoop.hive.ql.security.TestMultiAuthorizationPreEventListener org.apache.hadoop.hive.ql.security.TestStorageBasedClientSideAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationDrops.testDropPartition org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProvider.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationProviderWithACL.testSimplePrivileges org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbFailure org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadDbSuccess org.apache.hadoop.hive.ql.security.TestStorageBasedMetastoreAuthorizationReads.testReadTableFailure org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testDelegationTokenSharedStore org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testMetastoreProxyUser org.apache.hadoop.hive.thrift.TestHadoopAuthBridge23.testSaslWithHiveMetaStore org.apache.hive.hcatalog.api.repl.commands.TestCommands.org.apache.hive.hcatalog.api.repl.commands.TestCommands org.apache.hive.service.TestHS2ImpersonationWithRemoteMS.org.apache.hive.service.TestHS2ImpersonationWithRemoteMS org.apache.hive.spark.client.TestSparkClient.testJobSubmission org.apache.hive.spark.client.TestSparkClient.testSyncRpc {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7547/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/7547/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-7547/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 29 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12797835 - PreCommit-HIVE-TRUNK-Build > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-13418.1.patch > > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object only the IP address of the proxy, and > not the end user. > For auditing purpose
[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15238377#comment-15238377 ] Vaibhav Gumashta commented on HIVE-13418: - +1. Looks like the test failures are unrelated. > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-13418.1.patch > > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object only the IP address of the proxy, and > not the end user. > For auditing purposes, the IP address of the end user and any proxies in > between are useful. > HiveServer2 should pass the information from 'X-Forwarded-Host' header to > the HiveAuthorizer plugins. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-13418) HiveServer2 HTTP mode should support X-Forwarded-Host header for authorization/audits
[ https://issues.apache.org/jira/browse/HIVE-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15244552#comment-15244552 ] Lefty Leverenz commented on HIVE-13418: --- [~thejas], two days ago you committed this to master. Are you waiting until a branch commit before updating the status? (See commit 833a7d158b3a8e45f492e7c82640c1a367d79b30.) > HiveServer2 HTTP mode should support X-Forwarded-Host header for > authorization/audits > - > > Key: HIVE-13418 > URL: https://issues.apache.org/jira/browse/HIVE-13418 > Project: Hive > Issue Type: New Feature > Components: Authorization, HiveServer2 >Reporter: Thejas M Nair >Assignee: Thejas M Nair > Attachments: HIVE-13418.1.patch > > > Apache Knox acts as a proxy for requests coming from the end users. In these > cases, the IP address that HiveServer2 passes to the authorization/audit > plugins via the HiveAuthzContext object only the IP address of the proxy, and > not the end user. > For auditing purposes, the IP address of the end user and any proxies in > between are useful. > HiveServer2 should pass the information from 'X-Forwarded-Host' header to > the HiveAuthorizer plugins. -- This message was sent by Atlassian JIRA (v6.3.4#6332)