Re: hiveserver2 with OpenLDAP ?
Hi Mikhail
Good news !
I deleted current user which used "dn: cn=", and re-created it using "dn:
uid=", looks like it works.
So that’s an option 3 as well
Nevertheless for academic reasons I am going to give your option 2 a try and
report back what I find
Thanks again
Regards
sanjay
From: Mikhail Antonov mailto:olorinb...@gmail.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Date: Friday, August 23, 2013 9:40 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Subject: Re: hiveserver2 with OpenLDAP ?
You don't need to rebuild Hive, no.
I see 2 solutions for that -
1) modify your LDAP data schema so it accepts uid instead of cn attribute (and
actually I think it should be working, as after all there can't be so obvious
bug in Hive...), so probably whoever tested that provider was using difference
LDAP schema that what we have
2) write your class similar to the one mentioned, and point Hive to that in the
hive-site.xml, set hive.server2.authentication=CUSTOM,and provide a full class
name of your class (and make sure it's on classpath, of course).
I prefer second way. Hope it should help. Let me know it it worked for you.
*General question to folks* - am I missing something or there's really a bug in
LDAP authenticator, which doesn't allow precise configuration of binding string?
Mikhail
2013/8/23 Sanjay Subramanian
mailto:sanjay.subraman...@wizecommerce.com>>
Thanks a lot Mikhail for getting back.
That means I cannot use this using beeline unless I change the code and build
hive again ?
Thanks
sanjay
From: Mikhail Antonov mailto:olorinb...@gmail.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Date: Friday, August 23, 2013 6:17 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Subject: Re: hiveserver2 with OpenLDAP ?
I see the same behavior and here's the reason.
LdapAuthenticationProviderImpl - that the one responsible for LDAP
authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
0.10):
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
And according to Cloudera documentation, you're supposed to set baseDN param
for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive takes
username as it is (say user1) and tries to bind to the ldap server, which works.
When you set this baseDN, it constructs the bind string as
uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to be
rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
I think the way to go is to provide you own LDAP authenticator, which has more
control on how to generate LDAP bind string.
Mikhail
2013/8/23 Sanjay Subramanian
mailto:sanjay.subraman...@wizecommerce.com>>
Hi guys
I tested hiveserver2 with Active directory - It works
With Open LDAP it does not
Is there any specific syntax for specifying the LDAP url or baseDN ?
hive.server2.authentication.ldap.url
ldap://myserver.corp.nextag.com:389<http://myserver.corp.nextag.com:389>
hive.server2.authentication.ldap.baseDN
dc=wizetest,dc=com
Beeline keeps giving error
jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1 hiveuser1
org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:1
Error: Could not establish connection to jdbc:hive2://dev-thdp5:1: Peer
indicated failure: Error validating the login (state=08S01,code=0)
Any clues ?
Thanks
sanjay
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
your computer system. If you are the intended recipient, please be advised that
the content of this message is subject to access, review and disclosure by the
sender's Email System Administrator.
--
Thanks,
Michael Antonov
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
Re: hiveserver2 with OpenLDAP ?
Awesome Mikhail
I love option 2..I am going to do that and let u know
Thanks so much for your guidance
Regards
sanjay
From: Mikhail Antonov mailto:olorinb...@gmail.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Date: Friday, August 23, 2013 9:40 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Subject: Re: hiveserver2 with OpenLDAP ?
You don't need to rebuild Hive, no.
I see 2 solutions for that -
1) modify your LDAP data schema so it accepts uid instead of cn attribute (and
actually I think it should be working, as after all there can't be so obvious
bug in Hive...), so probably whoever tested that provider was using difference
LDAP schema that what we have
2) write your class similar to the one mentioned, and point Hive to that in the
hive-site.xml, set hive.server2.authentication=CUSTOM,and provide a full class
name of your class (and make sure it's on classpath, of course).
I prefer second way. Hope it should help. Let me know it it worked for you.
*General question to folks* - am I missing something or there's really a bug in
LDAP authenticator, which doesn't allow precise configuration of binding string?
Mikhail
2013/8/23 Sanjay Subramanian
mailto:sanjay.subraman...@wizecommerce.com>>
Thanks a lot Mikhail for getting back.
That means I cannot use this using beeline unless I change the code and build
hive again ?
Thanks
sanjay
From: Mikhail Antonov mailto:olorinb...@gmail.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Date: Friday, August 23, 2013 6:17 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Subject: Re: hiveserver2 with OpenLDAP ?
I see the same behavior and here's the reason.
LdapAuthenticationProviderImpl - that the one responsible for LDAP
authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
0.10):
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
And according to Cloudera documentation, you're supposed to set baseDN param
for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive takes
username as it is (say user1) and tries to bind to the ldap server, which works.
When you set this baseDN, it constructs the bind string as
uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to be
rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
I think the way to go is to provide you own LDAP authenticator, which has more
control on how to generate LDAP bind string.
Mikhail
2013/8/23 Sanjay Subramanian
mailto:sanjay.subraman...@wizecommerce.com>>
Hi guys
I tested hiveserver2 with Active directory - It works
With Open LDAP it does not
Is there any specific syntax for specifying the LDAP url or baseDN ?
hive.server2.authentication.ldap.url
ldap://myserver.corp.nextag.com:389<http://myserver.corp.nextag.com:389>
hive.server2.authentication.ldap.baseDN
dc=wizetest,dc=com
Beeline keeps giving error
jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1 hiveuser1
org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:1
Error: Could not establish connection to jdbc:hive2://dev-thdp5:1: Peer
indicated failure: Error validating the login (state=08S01,code=0)
Any clues ?
Thanks
sanjay
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
your computer system. If you are the intended recipient, please be advised that
the content of this message is subject to access, review and disclosure by the
sender's Email System Administrator.
--
Thanks,
Michael Antonov
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
your computer system. If you are the intended recipient, please be advised that
the content of this message is subject to access, review and disclosure by the
sender's Email Syste
Re: hiveserver2 with OpenLDAP ?
You don't need to rebuild Hive, no.
I see 2 solutions for that -
1) modify your LDAP data schema so it accepts uid instead of cn attribute
(and actually I think it should be working, as after all there can't be so
obvious bug in Hive...), so probably whoever tested that provider was using
difference LDAP schema that what we have
2) write your class similar to the one mentioned, and point Hive to that in
the hive-site.xml, set hive.server2.authentication=CUSTOM,and provide a
full class name of your class (and make sure it's on classpath, of course).
I prefer second way. Hope it should help. Let me know it it worked for you.
*General question to folks* - am I missing something or there's really a
bug in LDAP authenticator, which doesn't allow precise configuration of
binding string?
Mikhail
2013/8/23 Sanjay Subramanian
> Thanks a lot Mikhail for getting back.
>
> That means I cannot use this using beeline unless I change the code and
> build hive again ?
>
> Thanks
>
> sanjay
>
> From: Mikhail Antonov
> Reply-To: "user@hive.apache.org"
> Date: Friday, August 23, 2013 6:17 PM
> To: "user@hive.apache.org"
> Subject: Re: hiveserver2 with OpenLDAP ?
>
> I see the same behavior and here's the reason.
>
> LdapAuthenticationProviderImpl - that the one responsible for LDAP
> authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
> 0.10):
>
> // setup the security principal
> String bindDN;
> if (baseDN != null) {
> bindDN = "uid=" + user + "," + baseDN;
> } else {
> bindDN = user;
> }
>
> And according to Cloudera documentation, you're supposed to set baseDN
> param for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive
> takes username as it is (say user1) and tries to bind to the ldap server,
> which works.
>
> When you set this baseDN, it constructs the bind string as
> uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to
> be rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
>
> I think the way to go is to provide you own LDAP authenticator, which
> has more control on how to generate LDAP bind string.
>
> Mikhail
>
>
>
>
> 2013/8/23 Sanjay Subramanian
>
>> Hi guys
>>
>> I tested hiveserver2 with Active directory - It works
>> With Open LDAP it does not
>>
>> Is there any specific syntax for specifying the LDAP url or baseDN ?
>>
>>
>> hive.server2.authentication.ldap.url
>> ldap://myserver.corp.nextag.com:389
>>
>>
>> hive.server2.authentication.ldap.baseDN
>> dc=wizetest,dc=com
>>
>>
>> Beeline keeps giving error
>>
>> jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1
>> hiveuser1 org.apache.hive.jdbc.HiveDriver
>> Connecting to jdbc:hive2://dev-thdp5:1
>> Error: Could not establish connection to jdbc:hive2://dev-thdp5:1:
>> Peer indicated failure: Error validating the login (state=08S01,code=0)
>>
>> Any clues ?
>>
>> Thanks
>>
>> sanjay
>>
>> CONFIDENTIALITY NOTICE
>> ==
>> This email message and any attachments are for the exclusive use of the
>> intended recipient(s) and may contain confidential and privileged
>> information. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient, please contact the
>> sender by reply email and destroy all copies of the original message along
>> with any attachments, from your computer system. If you are the intended
>> recipient, please be advised that the content of this message is subject to
>> access, review and disclosure by the sender's Email System Administrator.
>>
>
>
>
> --
> Thanks,
> Michael Antonov
>
> CONFIDENTIALITY NOTICE
> ==
> This email message and any attachments are for the exclusive use of the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message along
> with any attachments, from your computer system. If you are the intended
> recipient, please be advised that the content of this message is subject to
> access, review and disclosure by the sender's Email System Administrator.
>
--
Thanks,
Michael Antonov
Re: hiveserver2 with OpenLDAP ?
Thanks a lot Mikhail for getting back.
That means I cannot use this using beeline unless I change the code and build
hive again ?
Thanks
sanjay
From: Mikhail Antonov mailto:olorinb...@gmail.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Date: Friday, August 23, 2013 6:17 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>"
mailto:user@hive.apache.org>>
Subject: Re: hiveserver2 with OpenLDAP ?
I see the same behavior and here's the reason.
LdapAuthenticationProviderImpl - that the one responsible for LDAP
authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
0.10):
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
And according to Cloudera documentation, you're supposed to set baseDN param
for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive takes
username as it is (say user1) and tries to bind to the ldap server, which works.
When you set this baseDN, it constructs the bind string as
uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to be
rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
I think the way to go is to provide you own LDAP authenticator, which has more
control on how to generate LDAP bind string.
Mikhail
2013/8/23 Sanjay Subramanian
mailto:sanjay.subraman...@wizecommerce.com>>
Hi guys
I tested hiveserver2 with Active directory - It works
With Open LDAP it does not
Is there any specific syntax for specifying the LDAP url or baseDN ?
hive.server2.authentication.ldap.url
ldap://myserver.corp.nextag.com:389<http://myserver.corp.nextag.com:389>
hive.server2.authentication.ldap.baseDN
dc=wizetest,dc=com
Beeline keeps giving error
jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1 hiveuser1
org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:1
Error: Could not establish connection to jdbc:hive2://dev-thdp5:1: Peer
indicated failure: Error validating the login (state=08S01,code=0)
Any clues ?
Thanks
sanjay
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
your computer system. If you are the intended recipient, please be advised that
the content of this message is subject to access, review and disclosure by the
sender's Email System Administrator.
--
Thanks,
Michael Antonov
CONFIDENTIALITY NOTICE
==
This email message and any attachments are for the exclusive use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message along with any attachments, from
your computer system. If you are the intended recipient, please be advised that
the content of this message is subject to access, review and disclosure by the
sender's Email System Administrator.
Re: hiveserver2 with OpenLDAP ?
To validate what I said, run hiveserver2 in debug mode, put breakpoint in
this class, authenticate method, and see if the exception is being thrown.
2013/8/23 Mikhail Antonov
> I see the same behavior and here's the reason.
>
> LdapAuthenticationProviderImpl - that the one responsible for LDAP
> authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
> 0.10):
>
> // setup the security principal
> String bindDN;
> if (baseDN != null) {
> bindDN = "uid=" + user + "," + baseDN;
> } else {
> bindDN = user;
> }
>
> And according to Cloudera documentation, you're supposed to set baseDN
> param for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive
> takes username as it is (say user1) and tries to bind to the ldap server,
> which works.
>
> When you set this baseDN, it constructs the bind string as
> uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to
> be rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
>
> I think the way to go is to provide you own LDAP authenticator, which has
> more control on how to generate LDAP bind string.
>
> Mikhail
>
>
>
>
> 2013/8/23 Sanjay Subramanian
>
>> Hi guys
>>
>> I tested hiveserver2 with Active directory - It works
>> With Open LDAP it does not
>>
>> Is there any specific syntax for specifying the LDAP url or baseDN ?
>>
>>
>> hive.server2.authentication.ldap.url
>> ldap://myserver.corp.nextag.com:389
>>
>>
>> hive.server2.authentication.ldap.baseDN
>> dc=wizetest,dc=com
>>
>>
>> Beeline keeps giving error
>>
>> jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1
>> hiveuser1 org.apache.hive.jdbc.HiveDriver
>> Connecting to jdbc:hive2://dev-thdp5:1
>> Error: Could not establish connection to jdbc:hive2://dev-thdp5:1:
>> Peer indicated failure: Error validating the login (state=08S01,code=0)
>>
>> Any clues ?
>>
>> Thanks
>>
>> sanjay
>>
>> CONFIDENTIALITY NOTICE
>> ==
>> This email message and any attachments are for the exclusive use of the
>> intended recipient(s) and may contain confidential and privileged
>> information. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient, please contact the
>> sender by reply email and destroy all copies of the original message along
>> with any attachments, from your computer system. If you are the intended
>> recipient, please be advised that the content of this message is subject to
>> access, review and disclosure by the sender's Email System Administrator.
>>
>
>
>
> --
> Thanks,
> Michael Antonov
>
--
Thanks,
Michael Antonov
Re: hiveserver2 with OpenLDAP ?
I see the same behavior and here's the reason.
LdapAuthenticationProviderImpl - that the one responsible for LDAP
authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
0.10):
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
And according to Cloudera documentation, you're supposed to set baseDN
param for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive
takes username as it is (say user1) and tries to bind to the ldap server,
which works.
When you set this baseDN, it constructs the bind string as
uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to
be rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
I think the way to go is to provide you own LDAP authenticator, which has
more control on how to generate LDAP bind string.
Mikhail
2013/8/23 Sanjay Subramanian
> Hi guys
>
> I tested hiveserver2 with Active directory - It works
> With Open LDAP it does not
>
> Is there any specific syntax for specifying the LDAP url or baseDN ?
>
>
> hive.server2.authentication.ldap.url
> ldap://myserver.corp.nextag.com:389
>
>
> hive.server2.authentication.ldap.baseDN
> dc=wizetest,dc=com
>
>
> Beeline keeps giving error
>
> jdbc:hive2://dev-thdp5:1> !connect jdbc:hive2://dev-thdp5:1
> hiveuser1 org.apache.hive.jdbc.HiveDriver
> Connecting to jdbc:hive2://dev-thdp5:1
> Error: Could not establish connection to jdbc:hive2://dev-thdp5:1:
> Peer indicated failure: Error validating the login (state=08S01,code=0)
>
> Any clues ?
>
> Thanks
>
> sanjay
>
> CONFIDENTIALITY NOTICE
> ==
> This email message and any attachments are for the exclusive use of the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message along
> with any attachments, from your computer system. If you are the intended
> recipient, please be advised that the content of this message is subject to
> access, review and disclosure by the sender's Email System Administrator.
>
--
Thanks,
Michael Antonov
