[Zeppelin 2367] Hive JDBC proxy user option should be available even without kerberos #2229
Conversation
prabhjyotsingh
changed the title
|
Tested. LGTM. |
docs/interpreter/hive.md
Outdated
| ``` | ||
|
|
||
| ### Impersonation | ||
| When Zeppelin server is running with authentication enabled, then this interpreter utilizes Hive's user proxy feature i.e. sends extra parameter for creating and running a session ("hive.server2.proxy.user=": "${loggedInUser}"). This is particularly useful when multi users are sharing a Notebook server. |
There was a problem hiding this comment.
multi users -> multiple users?
There was a problem hiding this comment.
does this affect resource allocation, such as each user could be on different YARN queue and so on?
There was a problem hiding this comment.
Yes, that could happen, but it was never documented, hence thought to document it here.
| } | ||
|
|
||
| private void checkAndAppendHiveProxyUser(StringBuilder connectionUrl, String user) { | ||
| if (connectionUrl.toString().trim().startsWith("jdbc:hive")) { |
There was a problem hiding this comment.
hmm.. is this the right approach and abstraction, to have specialize type in a general JDBC interpreter?
There was a problem hiding this comment.
I thought about other approaches, like using propertyKey, but even in that case name could be anything including default.
|
|
||
| if (user != null && !user.equals("anonymous") && | ||
| !"false".equalsIgnoreCase(property.getProperty("hive.proxy.user"))) { | ||
| logger.debug("Using hive proxy user"); |
There was a problem hiding this comment.
logger.info?
also, log the user value?
docs/interpreter/hive.md
Outdated
| <td></td> | ||
| <td><b>( Optional ) </b>Other properties used by the driver of <code>%hive(${prefix})</code> </td> | ||
| </tr> | ||
| <tr> |
There was a problem hiding this comment.
@prabhjyotsingh Hive docs is deprecated: https://github.com/apache/zeppelin/blob/master/docs/interpreter/hive.md#important-notice
So it'll be better to add this info to https://github.com/apache/zeppelin/blob/master/docs/interpreter/jdbc.md#apache-hive instead.
There was a problem hiding this comment.
Sure, then I'll revert my changes from this file, and apply it on jdbc.md
docs/interpreter/hive.md
Outdated
| <tr> | ||
| <td>hive.proxy.user</td> | ||
| <td>true</td> | ||
| <td><b>( Optional ) </b>If want to use `hive.server2.proxy.user`</td> |
There was a problem hiding this comment.
These back quoters won't work properly in <table> tag. So please use <code> tag like this:
<code>hive.server2.proxy.user</code>
There was a problem hiding this comment.
Thank you @AhyoungRyu , have taken care of this in jdbc.md.
|
@AhyoungRyu @felixcheung thank you for the review, have made the suggested changes. |
|
@AhyoungRyu, @felixcheung ping |
|
Merging this to master and branch-0.7 if no more discussion. |
|
From my earlier comment, I'm interested in others thought on having very Hive specific logic in the generic JDBC interpreter?
https://github.com/apache/zeppelin/pull/2229/files#r110512765
|
|
Yes, I thought of few options but this was bit convenient. Any suggestions? |
# Conflicts: # jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
|
@felixcheung any specific change that you are looking for? |
|
Perhaps generalize this to something non-Hive specific? Like a property for userStringToAppend? Add user to JDBC URL should be common place - seems like in this case we just like a way to change the name and value of the property to add on the JDBC URL.
|
|
Sure, got it, have renamed it to |
|
actually, I wasn't referring to the function name at all. instead of having this fairly hive specific, how about a function like this to take the user name property name and value |
prabhjyotsingh
force-pushed
the
ZEPPELIN-2367
branch
from
c0fd7d4 to
513987a
Compare
|
@felixcheung Sure what you have recommended does make a lot of sense, have implemented what you have suggested. |
felixcheung
left a comment
felixcheung
left a comment
There was a problem hiding this comment.
looks reasonable. why is zeppelin.jdbc.auth.kerberos.proxy.enable removed?
also is there a way not to hardcode hive jdbc here
| StringBuilder stringBuilder = new StringBuilder(); | ||
| stringBuilder.append(e.getMessage()).append("\n"); | ||
| stringBuilder.append(e.getCause()); | ||
| throw new InterpreterException(stringBuilder.toString()); |
There was a problem hiding this comment.
why not just include e as inner exception like InterpreterException(message, e)?
There was a problem hiding this comment.
Sure just did it, thank you for the hint.
prabhjyotsingh
force-pushed
the
ZEPPELIN-2367
branch
from
962e610 to
a348e96
Compare
My bad, while fixing the above issues, I thought this is redundant, but I forgot about the case where KERBEROS is enabled and the user does not want to use proxy behavior. Have reverted that change.
Hive doesn't work with this (UserGroupInformation.createProxyUser), and since we allow user to configure multiple JDBC sources using the same interpreter setting; there can be a case where user has configured say Phoenix (requires UserGroupInformation.createProxyUser to proxy user) and Hive (fails if UserGroupInformation.createProxyUser is used), we could introduce new parameter like |
|
@felixcheung have removed hard coded string "hive" as well. CI fails for; not relavent for this change. |
|
@felixcheung ping |
felixcheung
left a comment
felixcheung
left a comment
There was a problem hiding this comment.
I like it! a few questions
docs/interpreter/jdbc.md
Outdated
| </tr> | ||
| </table> | ||
|
|
||
| Connection to Hive JDBC with a proxy user can be disabled with `hive.proxy.user` property (set to true by default) |
There was a problem hiding this comment.
is hive.proxy.user removed then? do we need to doc to explain the migration?
also you have this line here still with hive.proxy.user property (set to true by default)
There was a problem hiding this comment.
I guess the preference would be to have a way to migrate existing users and config by having it automatically converted, add a log warning etc.
but it's your call in the specific case
There was a problem hiding this comment.
What I meant in above line was the key is default.proxy.user.property with an example value hive.server2.proxy.user; fair point, let me tweak this documentation.
Yes, adding a log (logger.warn) does make sense, let me do it right away.
There was a problem hiding this comment.
I was looking at http://zeppelin.apache.org/docs/0.7.1/interpreter/jdbc.html#apache-hive, hive.proxy.user hasn't made it to the doc section, so I think in this case no need to add migration steps. However, I have added logger.warn as well.
| } | ||
| logger.debug("JDBC PropretiesMap: {}", basePropretiesMap); | ||
|
|
||
| if (!isEmpty(property.getProperty("zeppelin.jdbc.auth.type"))) { |
There was a problem hiding this comment.
this is also removed? zeppelin.jdbc.auth.type?
There was a problem hiding this comment.
JDBCSecurityImpl.createSecureConfiguration call is moved to line#358 (https://github.com/apache/zeppelin/pull/2229/files/9fee9d2a9e476769b5d28a50d17f3a7ad38fc453#diff-ecdae8ee9594a5c4b21a3c217a3f130cR358). Instead of making this object JDBCSecurityImpl.getAuthtype(property) every time on open() do it only if required.
There was a problem hiding this comment.
Since it's just a removal of extra call, so no doc change required.
docs/interpreter/jdbc.md
Outdated
|
|
||
| To enable this set following: | ||
| - `zeppelin.jdbc.auth.type` as `SIMPLE` or `KERBEROS` (if required) in the interpreter setting. | ||
| - `default.proxy.user.property` as `hive.server2.proxy.user` |
There was a problem hiding this comment.
should we clarify, default here could also be the name of the hive interpreter instance like hive.proxy.user.property?
There was a problem hiding this comment.
Sure, let me change this to {propertyKey}.proxy.user.property and post a sample configuration.
There was a problem hiding this comment.
Thank you for reviewing this. Have handled your review comments.
|
@felixcheung Have handled your review comments. Let me know if I missed any. |
|
Thank you @felixcheung. Will merge this to master. |
### What is this PR for? Fix JDBC doc after #2229. ### What type of PR is it? [Bug Fix] ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? * Is there breaking changes for older versions? * Does this needs documentation? Author: Prabhjyot Singh <[email protected]> Closes #2314 from prabhjyotsingh/minor/jdbc-doc-zeppelin-2367 and squashes the following commits: e54a3a2 [Prabhjyot Singh] @AhyoungRyu review comments 0f396ac [Prabhjyot Singh] fix doc for zeppelin-2367
### What is this PR for? Fix JDBC doc after apache#2229. ### What type of PR is it? [Bug Fix] ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? * Is there breaking changes for older versions? * Does this needs documentation? Author: Prabhjyot Singh <[email protected]> Closes apache#2314 from prabhjyotsingh/minor/jdbc-doc-zeppelin-2367 and squashes the following commits: e54a3a2 [Prabhjyot Singh] @AhyoungRyu review comments 0f396ac [Prabhjyot Singh] fix doc for zeppelin-2367
…without kerberos ### What is this PR for? Hive JDBC proxy user option should be available generically. ### What type of PR is it? [Improvement] ### What is the Jira issue? * [Zeppelin 2367](https://issues.apache.org/jira/browse/ZEPPELIN-2367) ### How should this be tested? Enable Shiro authentication and set `zeppelin.jdbc.auth.type` as `SIMPLE` in the interpreter setting, and observe the connection string for the Hive. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need an update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? Yes Author: Prabhjyot Singh <[email protected]> Closes apache#2229 from prabhjyotsingh/ZEPPELIN-2367 and squashes the following commits: 84b5e55 [Prabhjyot Singh] add logger.warn for hive and impersonation 45c90a8 [Prabhjyot Singh] improve doc 9fee9d2 [Prabhjyot Singh] replace hive with generic method a348e96 [Prabhjyot Singh] revert "zeppelin.jdbc.auth.kerberos.proxy.enable" behaviour e2bdbb2 [Prabhjyot Singh] include e as inner exception c180f5c [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 1802b45 [Prabhjyot Singh] remove hive string from logger 513987a [Prabhjyot Singh] apply genric logic to appendProxyUserToURL 3fa2b1e [Prabhjyot Singh] change name to appendProxyUserToURL a751674 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 4c382ee [Prabhjyot Singh] log user details as well d51e770 [Prabhjyot Singh] add doc in jdbc.md 01b18b9 [Prabhjyot Singh] add doc (reverted from commit ee8a6b5) 40489c8 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 ee8a6b5 [Prabhjyot Singh] add doc 8999d93 [Prabhjyot Singh] ZEPPELIN-2367: Hive JDBC proxy user option should be avail even without kerberos
…without kerberos ### What is this PR for? Hive JDBC proxy user option should be available generically. ### What type of PR is it? [Improvement] ### What is the Jira issue? * [Zeppelin 2367](https://issues.apache.org/jira/browse/ZEPPELIN-2367) ### How should this be tested? Enable Shiro authentication and set `zeppelin.jdbc.auth.type` as `SIMPLE` in the interpreter setting, and observe the connection string for the Hive. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need an update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? Yes Author: Prabhjyot Singh <[email protected]> Closes apache#2229 from prabhjyotsingh/ZEPPELIN-2367 and squashes the following commits: 84b5e55 [Prabhjyot Singh] add logger.warn for hive and impersonation 45c90a8 [Prabhjyot Singh] improve doc 9fee9d2 [Prabhjyot Singh] replace hive with generic method a348e96 [Prabhjyot Singh] revert "zeppelin.jdbc.auth.kerberos.proxy.enable" behaviour e2bdbb2 [Prabhjyot Singh] include e as inner exception c180f5c [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 1802b45 [Prabhjyot Singh] remove hive string from logger 513987a [Prabhjyot Singh] apply genric logic to appendProxyUserToURL 3fa2b1e [Prabhjyot Singh] change name to appendProxyUserToURL a751674 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 4c382ee [Prabhjyot Singh] log user details as well d51e770 [Prabhjyot Singh] add doc in jdbc.md 01b18b9 [Prabhjyot Singh] add doc (reverted from commit ee8a6b5) 40489c8 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-2367 ee8a6b5 [Prabhjyot Singh] add doc 8999d93 [Prabhjyot Singh] ZEPPELIN-2367: Hive JDBC proxy user option should be avail even without kerberos
4 participants
What is this PR for?
Hive JDBC proxy user option should be available generically.
What type of PR is it?
[Improvement]
What is the Jira issue?
How should this be tested?
Enable Shiro authentication and set
zeppelin.jdbc.auth.typeasSIMPLEin the interpreter setting, and observe the connection string for the Hive.Screenshots (if appropriate)
Questions: