[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862066#comment-15862066 ]
Greg Senia commented on ATLAS-1546: ----------------------------------- [~madhan.neethiraj] basically for now I added a new config object under hive in ambari and named it hive-cli-atlas-application.properties for hivecli and left the original for HS2. Remember when HS2 starts up HIVE_CONF_DIR=/etc/hive/conf/conf.server and the CLI HIVE_CONF_DIR=/etc/hive/conf So the question becomes is it best to just use seperate configs as I'm doing here as this definitely works vs trying to force settings basically when I came up with this workaround I looked how sqoop was sending to kafka and modeled the CLI after it. I opened the issue as an Ambari JIRA --> [AMBARI-19790] HS2 config Tree --> /etc/hive/conf/conf.server/atlas-application.properties HiveCLI config Tree --> less /etc/hive/conf/atlas-application.properties HiveCLI --> /etc/hive/conf/atlas-application.properties atlas.authentication.method.kerberos=True atlas.cluster.name=tech atlas.hook.hive.keepAliveTime=10 atlas.hook.hive.maxThreads=5 atlas.hook.hive.minThreads=5 atlas.hook.hive.numRetries=3 atlas.hook.hive.queueSize=1000 atlas.hook.hive.synchronous=false atlas.jaas.KafkaClient.loginModuleControlFlag=required atlas.jaas.KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule atlas.jaas.KafkaClient.option.renewTicket=True atlas.jaas.KafkaClient.option.serviceName=kafka atlas.jaas.KafkaClient.option.storeKey=false atlas.jaas.KafkaClient.option.useKeyTab=false atlas.jaas.KafkaClient.option.useTicketCache=True atlas.kafka.bootstrap.servers=ha21t55mn.tech.hdp.example.com:6667 atlas.kafka.hook.group.id=atlas atlas.kafka.sasl.kerberos.service.name=kafka atlas.kafka.security.protocol=PLAINTEXTSASL atlas.kafka.zookeeper.connect=ha21t53mn.tech.hdp.example.com:2181,ha21t51mn.tech.hdp.example.com:2181,ha21t52mn.tech.hdp.example.com:2181 atlas.kafka.zookeeper.connection.timeout.ms=200 atlas.kafka.zookeeper.session.timeout.ms=400 atlas.kafka.zookeeper.sync.time.ms=20 atlas.notification.create.topics=True atlas.notification.replicas=1 atlas.notification.topics=ATLAS_HOOK,ATLAS_ENTITIES atlas.rest.address=http://ha21t55mn.tech.hdp.example.com:21000 HS2: /etc/hive/conf/conf.server/atlas-application.properties atlas.authentication.method.kerberos=True atlas.cluster.name=tech atlas.hook.hive.keepAliveTime=10 atlas.hook.hive.maxThreads=5 atlas.hook.hive.minThreads=5 atlas.hook.hive.numRetries=3 atlas.hook.hive.queueSize=1000 atlas.hook.hive.synchronous=false atlas.jaas.KafkaClient.loginModuleControlFlag=required atlas.jaas.KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule atlas.jaas.KafkaClient.option.keyTab=/etc/security/keytabs/hive.service.keytab atlas.jaas.KafkaClient.option.principal=hive/_h...@tech.hdp.example.com atlas.jaas.KafkaClient.option.serviceName=kafka atlas.jaas.KafkaClient.option.storeKey=True atlas.jaas.KafkaClient.option.useKeyTab=True atlas.kafka.bootstrap.servers=ha21t55mn.tech.hdp.example.com:6667 atlas.kafka.hook.group.id=atlas atlas.kafka.sasl.kerberos.service.name=kafka atlas.kafka.security.protocol=PLAINTEXTSASL atlas.kafka.zookeeper.connect=ha21t53mn.tech.hdp.example.com:2181,ha21t51mn.tech.hdp.example.com:2181,ha21t52mn.tech.hdp.example.com:2181 atlas.kafka.zookeeper.connection.timeout.ms=200 atlas.kafka.zookeeper.session.timeout.ms=400 atlas.kafka.zookeeper.sync.time.ms=20 atlas.notification.create.topics=True atlas.notification.replicas=1 atlas.notification.topics=ATLAS_HOOK,ATLAS_ENTITIES atlas.rest.address=http://ha21t55mn.tech.hdp.example.com:21000 > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > ---------------------------------------------------------------------------------- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg > Affects Versions: 0.7-incubating, 0.8-incubating > Reporter: Madhan Neethiraj > Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.patch > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)