Reply To: Authorization header in knox

I have made progress, and think I see the issue. To be clear, the actual issue is the following…

Caused by: org.apache.thrift.protocol.TProtocolException: Required field 'sessionHandle' is unset! Struct:TCloseSessionReq(sessionHandle:null)

I added debug code to the HiveConnection class…

  private TTransport createHttpTransport() throws SQLException, TTransportException {
    DefaultHttpClient httpClient;
    boolean useSsl = isSslConnection();
    // Create an http client from the configs
    httpClient = getHttpClient(useSsl);
    try {
      transport = new THttpClient(getServerHttpUrl(useSsl), httpClient);
      // We'll call an open/close here to send a test HTTP message to the server. Any
      // TTransportException caused by trying to connect to a non-available peer are thrown here.
      // Bubbling them up the call hierarchy so that a retry can happen in openTransport,
      // if dynamic service discovery is configured.
      TCLIService.Iface client = new TCLIService.Client(new TBinaryProtocol(transport));
      TOpenSessionResp openResp = client.OpenSession(new TOpenSessionReq());
      System.out.println(openResp.toString());
      if (openResp != null) {
        System.out.println("session handle = " + openResp.getSessionHandle());
        client.CloseSession(new TCloseSessionReq(openResp.getSessionHandle()));
        System.out.println("closed session");
      }
    }
    catch (TException e) {
      String msg =  "Could not create http connection to " +
          jdbcUriString + ". " + e.getMessage();
      throw new TTransportException(msg, e);
    }
    return transport;
  }

…and found the issue is the following…

TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hadoop.security.authorize.AuthorizationException:User: knox is not allowed to impersonate guest:0:-1], errorMessage:User: knox is not allowed to impersonate guest), serverProtocolVersion:HIVE_CLI_SERVICE_PROTOCOL_V6)

As such, the TOpenSessionResp instance is not null, but the session handle is, most likely due to the inability of the knox OS user to impersonate the guest user in the test LDAP configuration.

We have hive.server2.enable.impersonation and hive.server2.enable.doAs set to true.