[jira] [Updated] (SPARK-46566) Session levle config was not loaded when isolation is enable.

Tue, 02 Jan 2024 00:51:03 -0800 


     [ 
https://issues.apache.org/jira/browse/SPARK-46566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chenyu Zheng updated SPARK-46566:
---------------------------------
    Description: 
I setup thriftserver based on v3.5.0, when I execute command, will throw this 
error:
{code:java}
15:10:53.400 [HiveServer2-Handler-Pool: Thread-293] ERROR 
org.apache.thrift.transport.TSaslTransport - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
## ignore very long stack trace ## {code}
With some debugging and analysis, I found that proxyuser should use token to 
access metastore, but actually uses kerberos. The direct reason is that 
"hive.metastore.token.signature" is lost.

In fact, we have set "hive.metastore.token.signature" to 
"HiveServer2ImpersonationToken" for config when construct 
HiveSessionImplwithUGI, and store the config in 
HiveSessionImplwithUGI::sessionHive and HiveSessionImplwithUGI::sessionState
When session is acquire, we should set sessionState and sessionHive to 
thread-level variables. Then the execution statements will use their own 
sessionHive and sessionState, so use the right config.

But if isolation is enable, a new SessionState will be constructed using the 
specified hive version. Config is not passed from 
HiveSessionImplwithUGI::sessionState to this SessionState, so 
hive.metastore.token.signature is missing.

  was:
I setup thriftserver based on v3.5.0, when I execute command, will throw this 
error:

 
{code:java}
15:10:53.400 [HiveServer2-Handler-Pool: Thread-293] ERROR 
org.apache.thrift.transport.TSaslTransport - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
## ignore very long stack trace ## {code}
 

With some debugging and analysis, I found that proxyuser should use token to 
access metastore, but actually uses kerberos. The direct reason is that 
"hive.metastore.token.signature" is lost.

In fact, we have set "hive.metastore.token.signature" to 
"HiveServer2ImpersonationToken" for config when construct 
HiveSessionImplwithUGI, and store the configuration in 
HiveSessionImplwithUGI::sessionHive and HiveSessionImplwithUGI::sessionState
When session is acquire, we should set sessionState and sessionHive to 
thread-level variables. Then the execution statements will use their own 
sessionHive and sessionState, so use the right config.

But if isolation is enable, a new SessionState will be constructed using the 
specified hive version. Config is not passed from 
HiveSessionImplwithUGI::sessionState to this SessionState, so 
hive.metastore.token.signature is missing.


> Session levle config was not loaded when isolation is enable.
> -------------------------------------------------------------
>
>                 Key: SPARK-46566
>                 URL: https://issues.apache.org/jira/browse/SPARK-46566
>             Project: Spark
>          Issue Type: Improvement
>          Components: SQL
>    Affects Versions: 3.5.0
>            Reporter: Chenyu Zheng
>            Priority: Major
>
> I setup thriftserver based on v3.5.0, when I execute command, will throw this 
> error:
> {code:java}
> 15:10:53.400 [HiveServer2-Handler-Pool: Thread-293] ERROR 
> org.apache.thrift.transport.TSaslTransport - SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed
> ## ignore very long stack trace ## {code}
> With some debugging and analysis, I found that proxyuser should use token to 
> access metastore, but actually uses kerberos. The direct reason is that 
> "hive.metastore.token.signature" is lost.
> In fact, we have set "hive.metastore.token.signature" to 
> "HiveServer2ImpersonationToken" for config when construct 
> HiveSessionImplwithUGI, and store the config in 
> HiveSessionImplwithUGI::sessionHive and HiveSessionImplwithUGI::sessionState
> When session is acquire, we should set sessionState and sessionHive to 
> thread-level variables. Then the execution statements will use their own 
> sessionHive and sessionState, so use the right config.
> But if isolation is enable, a new SessionState will be constructed using the 
> specified hive version. Config is not passed from 
> HiveSessionImplwithUGI::sessionState to this SessionState, so 
> hive.metastore.token.signature is missing.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to