[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863932#comment-15863932 ]
Madhan Neethiraj commented on ATLAS-1546: ----------------------------------------- bq. I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true [~nixonrodrigues] HiveServer2 should be run as 'hive' service user..not as an enduser bq. tested HiveCli with doAs = true doAs flag is not relevant for HiveCLI - as it doesn't perform any impersonation. There is no need to validate HiveCLI with doAs=true. It will help if you can try the following steps and update the results here: # Configure HiveServer2 with doAs=true # Run HiveServer2 as hive service user # Using beeline, connect as an enduser and create objects (database/table/view) - verify that created object details are received in Atlas # Using Hive-CLI, create objects and verify that created object details are received in Atlas > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > ---------------------------------------------------------------------------------- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg > Affects Versions: 0.7-incubating, 0.8-incubating > Reporter: Madhan Neethiraj > Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)