apache
HIVE-28457: HS2 WEBUI: LDAP authorization
What changes were proposed in this pull request?
Added LDAP authentication for HS2 WebUI. When enabled via HiveConf, and user attempts to access HS2 WebUI pages, user will be redirected to a new Login page to enter his LDAP username and password. After that the users' credentials are authenticated with LDAP provider. If successful, a signed cookie will be added to HTTP session for further user interaction with the server. If unsuccessful, user will be redirected again to the Login page.
Why are the changes needed?
To add authentication mechanism to WebUI.
Does this PR introduce any user-facing change?
Yes
Is the change a dependency upgrade?
No
How was this patch tested?
New JUnit integration tests were developed as part of this PR. Also manually tested accessing WebUI on a downstream Hive version in the cloud with LDAP authentication.
There are several SonarCube warnings in ThriftHttpServlet.java, but they are not new. I extracted some code into a separate class without changing functionality.
@difin: the overall design looks good to me, left some code comments do you have screenshots of the login page or the process by any chance?
Hi @abstractdog, Thanks for the review! Here are screenshots of:
- login page
- An attempt to login with empty creds
- Before submitting good creds.
- After login.
thanks a lot for addressing comments and screenshots @difin, only a minor nit regarding formatting, other than that it's +1
Thanks a lot for review and +1, @abstractdog! I handled the comment regarding the formatting. I also added one more comment about ignoring exception in ThriftHttpServlet: https://github.com/apache/hive/pull/5399#discussion_r1747272788
Quality Gate passed
Issues
24 New issues
0 Accepted issues
Measures
2 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarCloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}