[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Fri, 10 Feb 2017 23:26:14 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862279#comment-15862279
 ] 

Greg Senia edited comment on ATLAS-1546 at 2/11/17 7:24 AM:
------------------------------------------------------------

[~madhan.neethiraj] nope not unless ambari does it under the covers.. But just 
checked including lsof and ps guaxwwe to grab enviro

[root@ha21t55mn t93kd9i]# su - hive
Last login: Fri Feb 10 20:29:36 EST 2017
[hive@ha21t55mn ~]$ klist
klist: Credentials cache file '/tmp/krb5cc_80009' not found


-rw-------. 1 gss2003   domain users 1846 Jan 31 13:22 krb5cc_190186246
-rw-------. 1 gss2002   domain users 1840 Feb 10 17:48 krb5cc_190177540_aM8cGE
-rw-------. 1 hbase     hadoop        870 Feb 10 18:34 krb5cc_80006
-rw-------. 1 kafka     hadoop       1002 Feb 10 18:34 krb5cc_80026
-rw-------. 1 hdfs      hadoop       2064 Feb 10 20:29 krb5cc_80008
-rw-------. 1 gss2002   domain users 1789 Feb 11 02:09 
krb5cc_190177540_ucndn5QWLm
-rw-------. 1 ambari-qa hadoop        886 Feb 11 02:11 krb5cc_80001


was (Author: gss2002):
nope not unless ambari does it under the covers.. But just checked including 
lsof and ps guaxwwe to grab enviro

[root@ha21t55mn t93kd9i]# su - hive
Last login: Fri Feb 10 20:29:36 EST 2017
[hive@ha21t55mn ~]$ klist
klist: Credentials cache file '/tmp/krb5cc_80009' not found


-rw-------. 1 gss2003   domain users 1846 Jan 31 13:22 krb5cc_190186246
-rw-------. 1 gss2002   domain users 1840 Feb 10 17:48 krb5cc_190177540_aM8cGE
-rw-------. 1 hbase     hadoop        870 Feb 10 18:34 krb5cc_80006
-rw-------. 1 kafka     hadoop       1002 Feb 10 18:34 krb5cc_80026
-rw-------. 1 hdfs      hadoop       2064 Feb 10 20:29 krb5cc_80008
-rw-------. 1 gss2002   domain users 1789 Feb 11 02:09 
krb5cc_190177540_ucndn5QWLm
-rw-------. 1 ambari-qa hadoop        886 Feb 11 02:11 krb5cc_80001

> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, 
> hiveserver2_log.txt, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to