[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Mon, 13 Feb 2017 08:24:31 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863932#comment-15863932
 ] 

Madhan Neethiraj commented on ATLAS-1546:
-----------------------------------------

bq. I tried running HiveServer2 (Run as end user instead of Hive user) with 
doAs = true
[~nixonrodrigues] HiveServer2 should be run as 'hive' service user..not as an 
enduser

bq. tested HiveCli with doAs = true
doAs flag is not relevant for HiveCLI - as it doesn't perform any 
impersonation. There is no need to validate HiveCLI with doAs=true.

It will help if you can try the following steps and update the results here:
# Configure HiveServer2 with doAs=true
# Run HiveServer2 as hive service user
# Using beeline, connect as an enduser and create objects (database/table/view) 
- verify that created object details are received in Atlas
# Using Hive-CLI, create objects and verify that created object details are 
received in Atlas


> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, 
> hiveserver2_log.txt, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to