Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hive >> mail # dev >> Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport


Copy link to this message
-
Re: Review Request 12824: [HIVE-4911] Enable QOP configuration for Hive Server 2 thrift transport

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12824/#review23711
-----------------------------------------------------------

data/conf/hive-site.xml
<https://reviews.apache.org/r/12824/#comment47589>

    This change should go into conf/hive-default.xml.template .
    data/conf/hive-site.xml is meant to be used for overriding config parameters for the tests. In this case as default value is being used, this file does not need changing.
    

jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/12824/#comment47597>

    the HIVE_AUTH_TYPE env variable is called "auth".
    Should we use something more descriptive like "sasl.qop" as the variable that sets the QOP level.
    

jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
<https://reviews.apache.org/r/12824/#comment47590>

    It is a good general practice to chain the exceptions.
    -
    throw new SQLException("Invalid " + HIVE_AUTH_TYPE + " parameter. " + e.getMessage(), "42000", e);
    

service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java
<https://reviews.apache.org/r/12824/#comment47596>

    I think hadoop.rpc.protection being set to a higher level than hive.server2.thrift.rpc.protection does not make sense in most situations (you would want to have more security in the transport that is likely to be more unsecure. THe HS2 -> client transport could be over a corporate wide wi-fi network)
    
    Should we warn if such a configuration is seen ?

shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java
<https://reviews.apache.org/r/12824/#comment47595>

    This function is called from hive metastore client. Using SaslRpcServer.SASL_PROPS here means that setting hadoop.rpc.protection will determine the QOP level, if we make a call to SaslRpcServer.init(conf) from anywhere in the code. But that function is not being called.
    
    I think it makes sense to use hadoop.rpc.protection for metastore QOP, since metastore usually not exposed 'outside' the cluster unlike hive server2. It is often viewed as something 'inside the cluster'.
    
    Should we change this function to take in a configuration object and use that to call SaslRpcServer.init(conf) ?
- Thejas Nair
On July 22, 2013, 8:56 p.m., Arup Malakar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/12824/
> -----------------------------------------------------------
>
> (Updated July 22, 2013, 8:56 p.m.)
>
>
> Review request for hive.
>
>
> Bugs: HIVE-4911
>     https://issues.apache.org/jira/browse/HIVE-4911
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.rpc.protection". This would give greater control configuring hive server 2 service.
>
>
> Diffs
> -----
>
>   common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 11c31216495d0c4e454f2627af5c93a9f270b1fe
>   data/conf/hive-site.xml 4e6ff16135833da1a4df12a12a6fe59ad4f870ba
>   jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 00f43511b478c687b7811fc8ad66af2b507a3626
>   service/src/java/org/apache/hive/service/auth/HiveAuthFactory.java 1809e1b26ceee5de14a354a0e499aa8c0ab793bf
>   service/src/java/org/apache/hive/service/auth/KerberosSaslHelper.java 379dafb8377aed55e74f0ae18407996bb9e1216f
>   service/src/java/org/apache/hive/service/auth/SaslQOP.java PRE-CREATION
>   shims/src/common-secure/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge20S.java 777226f8da0af2235d4294cd6a676fa8192c89e4
>   shims/src/common/java/org/apache/hadoop/hive/thrift/HadoopThriftAuthBridge.java 9b0ec0a75563b41339e6fc747556440fdf83e31e
>
> Diff: https://reviews.apache.org/r/12824/diff/
>
>
> Testing