HIVE-29653: Fix SAML bearer token authentication bypass in HiveServer2#6534
Open
saihemanth-cloudera wants to merge 3 commits into
Open
HIVE-29653: Fix SAML bearer token authentication bypass in HiveServer2#6534saihemanth-cloudera wants to merge 3 commits into
saihemanth-cloudera wants to merge 3 commits into
Conversation
|
There was a problem hiding this comment.
Pull request overview
This PR hardens HiveServer2’s SAML HTTP bearer-token authentication flow to prevent validation bypasses, and adds test coverage to ensure invalid/forged tokens are rejected.
Changes:
- Decode the SAML bearer token before parsing it for relay-state/client-identifier validation in HS2 HTTP mode.
- Fix signature verification logic so that valid signatures are accepted and invalid signatures are rejected.
- Improve token parsing robustness by allowing
=padding in the signature field, and add focused unit tests for token validation/parsing behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | Decodes bearer token prior to parsing so relay-state/client-identifier validation cannot be bypassed. |
| service/src/java/org/apache/hive/service/auth/saml/HiveSamlAuthTokenGenerator.java | Corrects signature comparison logic and improves parsing to handle Base64 padding in values. |
| itests/hive-unit/src/test/java/org/apache/hive/service/auth/saml/TestHttpSamlAuthentication.java | Adds unit tests covering valid round-trip, forged signatures, malformed structure, expiry, and parsing edge cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dengzhhu653
approved these changes
Jun 10, 2026
Member
|
+1. Leave the Copilot's comment to you if we need to address them. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
asf-ci-hive
added
tests failed
tests pending
and removed
tests pending
tests failed
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Hardens SAML callback token handling in HiveServer2 HTTP mode and adds related tests.
Why are the changes needed?
Corrects token validation behavior in the SAML HTTP authentication path.
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Added few unit tests