[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Fri, 10 Feb 2017 16:24:07 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862066#comment-15862066
 ] 

Greg Senia commented on ATLAS-1546:
-----------------------------------

[~madhan.neethiraj] basically for now I added a new config object under hive in 
ambari and named it hive-cli-atlas-application.properties for hivecli and left 
the original for HS2. Remember when HS2 starts up 
HIVE_CONF_DIR=/etc/hive/conf/conf.server and the CLI 
HIVE_CONF_DIR=/etc/hive/conf
So the question becomes is it best to just use seperate configs as I'm doing 
here as this definitely works vs trying to force settings basically when I came 
up with this workaround I looked how sqoop was sending to kafka and modeled the 
CLI after it. I opened the issue as an Ambari JIRA --> [AMBARI-19790]

 

HS2 config Tree --> /etc/hive/conf/conf.server/atlas-application.properties 
HiveCLI config Tree --> less /etc/hive/conf/atlas-application.properties 

HiveCLI --> /etc/hive/conf/atlas-application.properties 
atlas.authentication.method.kerberos=True
atlas.cluster.name=tech
atlas.hook.hive.keepAliveTime=10
atlas.hook.hive.maxThreads=5
atlas.hook.hive.minThreads=5
atlas.hook.hive.numRetries=3
atlas.hook.hive.queueSize=1000
atlas.hook.hive.synchronous=false
atlas.jaas.KafkaClient.loginModuleControlFlag=required
atlas.jaas.KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.KafkaClient.option.renewTicket=True
atlas.jaas.KafkaClient.option.serviceName=kafka
atlas.jaas.KafkaClient.option.storeKey=false
atlas.jaas.KafkaClient.option.useKeyTab=false
atlas.jaas.KafkaClient.option.useTicketCache=True
atlas.kafka.bootstrap.servers=ha21t55mn.tech.hdp.example.com:6667
atlas.kafka.hook.group.id=atlas
atlas.kafka.sasl.kerberos.service.name=kafka
atlas.kafka.security.protocol=PLAINTEXTSASL
atlas.kafka.zookeeper.connect=ha21t53mn.tech.hdp.example.com:2181,ha21t51mn.tech.hdp.example.com:2181,ha21t52mn.tech.hdp.example.com:2181
atlas.kafka.zookeeper.connection.timeout.ms=200
atlas.kafka.zookeeper.session.timeout.ms=400
atlas.kafka.zookeeper.sync.time.ms=20
atlas.notification.create.topics=True
atlas.notification.replicas=1
atlas.notification.topics=ATLAS_HOOK,ATLAS_ENTITIES
atlas.rest.address=http://ha21t55mn.tech.hdp.example.com:21000

HS2: /etc/hive/conf/conf.server/atlas-application.properties 
    
atlas.authentication.method.kerberos=True
atlas.cluster.name=tech
atlas.hook.hive.keepAliveTime=10
atlas.hook.hive.maxThreads=5
atlas.hook.hive.minThreads=5
atlas.hook.hive.numRetries=3
atlas.hook.hive.queueSize=1000
atlas.hook.hive.synchronous=false
atlas.jaas.KafkaClient.loginModuleControlFlag=required
atlas.jaas.KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.KafkaClient.option.keyTab=/etc/security/keytabs/hive.service.keytab
atlas.jaas.KafkaClient.option.principal=hive/_h...@tech.hdp.example.com
atlas.jaas.KafkaClient.option.serviceName=kafka
atlas.jaas.KafkaClient.option.storeKey=True
atlas.jaas.KafkaClient.option.useKeyTab=True
atlas.kafka.bootstrap.servers=ha21t55mn.tech.hdp.example.com:6667
atlas.kafka.hook.group.id=atlas
atlas.kafka.sasl.kerberos.service.name=kafka
atlas.kafka.security.protocol=PLAINTEXTSASL
atlas.kafka.zookeeper.connect=ha21t53mn.tech.hdp.example.com:2181,ha21t51mn.tech.hdp.example.com:2181,ha21t52mn.tech.hdp.example.com:2181
atlas.kafka.zookeeper.connection.timeout.ms=200
atlas.kafka.zookeeper.session.timeout.ms=400
atlas.kafka.zookeeper.sync.time.ms=20
atlas.notification.create.topics=True
atlas.notification.replicas=1
atlas.notification.topics=ATLAS_HOOK,ATLAS_ENTITIES
atlas.rest.address=http://ha21t55mn.tech.hdp.example.com:21000


> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.patch
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to