[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Fri, 10 Feb 2017 18:09:03 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862155#comment-15862155
 ] 

Madhan Neethiraj commented on ATLAS-1546:
-----------------------------------------

{quote}
{noformat}
{
  KafkaClient=[javax.security.auth.login.AppConfigurationEntry@1bac84c6],
  
ticketBased-KafkaClient=[javax.security.auth.login.AppConfigurationEntry@c9e7132]
}
for redirected jaasConfigSection: {} 
[javax.security.auth.login.AppConfigurationEntry@c9e7132]
{noformat}
{quote}

[~gss2002] - thanks for the logs. Above are last few lines before the failure - 
which show that ticketBased-KafkaClient config section was picked up by Atlas 
hook, even though it is run inside of HiveServer2. If HiveServer2 was 
configured with keytab authentication, the hook should have picked up 
KafkaClient section. I don't see the call to "setConfigSectionRedirect" in the 
log; can you please check if this present in earlier log (I guess the log file 
attached is partial)?

[~nixonrodrigues] - can you please validate the patch with HiveServer2 in 
doAs=true configuration? I updated the logs a little to help with the 
investigation. Please review and use this patch.


> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.patch, hiveserver2_log.txt
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to