[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Nixon Rodrigues (JIRA) Mon, 13 Feb 2017 07:36:00 -0800

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863835#comment-15863835
 ]


Nixon Rodrigues commented on ATLAS-1546:
----------------------------------------

[~gss2002], [~madhan.neethiraj],

After deleting kerberos ticket from hive user, i started getting this exception 
for hiveServer2, isLoginTicketBased flag is coming true for hiveServer2 case.I 
m looking into this.
{noformat}
Caused by: org.apache.kafka.common.KafkaException: 
javax.security.auth.login.LoginException: Could not login: the client is being 
asked for a password, but the Kafka client code does not currently support 
obtaining a password from the user. not available to garner  authentication 
information from the user
        at 
org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:86)
        at 
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:71)
        at 
org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:83)
        at 
org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:277)
        ... 19 more
Caused by: javax.security.auth.login.LoginException: Could not login: the 
client is being asked for a password, but the Kafka client code does not 
currently support obtaining a password from the user. not available to garner  
authentication information from the user
{noformat}


> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, 
> hiveserver2_log.txt, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Reply via email to