IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Data & AI Roadmaps (http://ibm.biz/Data-and-AI-Roadmaps) - Use this site to view roadmaps for Data & AI products.

IBM Employees should enter Ideas at https://hybridcloudunit-internal.ideas.aha.io/


Add a new idea Subscribe
Status Future consideration
Workspace Information Server
Created by Guest
Created on Feb 3, 2017

RELATED IDEAS

Support Secure Impersonation for DataStage Big Integrate JDBC Hive connection

We are using the JAAS configuration file (JDBCDriverLogin.conf) to implement the Kerberos authentication mechanism. In our original beta testing with PX on Hadoop , we found that DataStage assumed that the Hive SPN and cache would be used for authentication. Since this is not the case at Aetna, we implemented the following solution.

Configured the DataStage admin ID/cache to form the JDBC connection to Hive. This worked great during our infrastructure testing when running as the DataStage admin ID, but now that we are running with multiple users, we realize that the DataStage admin will need to be added to all of the various groups the applications will want to access and is not a workable solution .

Our JAAS Configuration is as follows:
JDBC_DRIVER_01 {
com.ibm.security.auth.module.Krb5LoginModule required
credsType=both
principal="S032593@AETH.AETNA.COM"
useKeytab="FILE:/InformationServer/Server/DSEngine/JDBCcache/BIJDBC.keytab"
debug=true;
};

Rather than granting the DS Admin ID access to all the various application groups (which will be sizable), our Hadoop engineering team suggested using secure impersonation to allow the service to act as the logged in user to access data.

Our hadoop engineering team provided the following info. The first 2 links give context, and the last one is probably most relevant to this situation.

https://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html

https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html

https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-Multi-UserScenariosandProgrammaticLogintoKerberosKDC


In the meantime, we have implemented the usage of multiple stanzas to the JAAS configuration for each user. This is a manual and potentially error prone process as users would need to be added and removed. We can implement this solution for the short term, but request secure impersonation support as the strategic solution as we prepare to implement and significantly scale up usage of Big Integrate here at Aetna.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.