[ https://issues.apache.org/jira/browse/HIVE-17187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16103740#comment-16103740 ]
Eric Yang commented on HIVE-17187: ---------------------------------- See [the blog|https://developer.ibm.com/hadoop/2016/05/12/hbase-rest-gateway-security/] written by IBM about SPNEGO for HBase REST API. This is a good source to implement SPNEGO properly with doAs calls with service principal instead of proxy user with SPNEGO credential. > WebHCat SPNEGO support is incompleted > ------------------------------------- > > Key: HIVE-17187 > URL: https://issues.apache.org/jira/browse/HIVE-17187 > Project: Hive > Issue Type: Bug > Components: WebHCat > Affects Versions: 1.2.1 > Reporter: Eric Yang > > [Some online > document|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/spnego_setup_for_webhcat.html] > describes how to setup WebHCat with SPNEGO support. However, there could be > multiple services use SPNEGO on the same host. For example, HBase REST API > can also setup to use HTTP principal for SPNEGO support. When HTTP principal > is shared among other services, Hadoop proxy user settings can not identify > the origin of doAs call with HTTP principal, is invoked by HBase REST API or > WebHCat. Ideally, WebHCat should keep track of its own service principal > independent of SPNEGO principal to ensure that SPNEGO principal is only given > authentication access. SPNEGO principal should not be used in proxy user > setting to grant authorization access. -- This message was sent by Atlassian JIRA (v6.4.14#64029)