[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863961#comment-15863961 ]
Greg Senia commented on ATLAS-1546: ----------------------------------- [~nixonrodrigues] and [~madhan.neethiraj] seems as if this could be risky relying on if there is a ticket as all it takes is for the process/JDK to read in a ticket into UGI and now the process sees a krb ticket and a keytab.... snippit from : hadoop/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java private UserGroupInformation(Subject subject, final boolean externalKeyTab) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); if (externalKeyTab) { this.isKeytab = false; } else { this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); } this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } /** * Did the login happen via ticket cache * @return true or false */ public static boolean isLoginTicketBased() throws IOException { return getLoginUser().isKrbTkt; } snippit from : hadoop/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java /** * Get all the unique principals present in the keytabfile. * * @param keytabFileName * Name of the keytab file to be read. * @return list of unique principals in the keytab. * @throws IOException * If keytab entries cannot be read from the file. */ static final String[] getPrincipalNames(String keytabFileName) throws IOException { Keytab keytab = Keytab.read(new File(keytabFileName)); Set<String> principals = new HashSet<String>(); List<KeytabEntry> entries = keytab.getEntries(); for (KeytabEntry entry: entries){ principals.add(entry.getPrincipalName().replace("\\", "/")); } return principals.toArray(new String[0]); } /** * Get all the unique principals from keytabfile which matches a pattern. * * @param keytab Name of the keytab file to be read. * @param pattern pattern to be matched. * @return list of unique principals which matches the pattern. * @throws IOException if cannot get the principal name */ public static final String[] getPrincipalNames(String keytab, Pattern pattern) throws IOException { String[] principals = getPrincipalNames(keytab); if (principals.length != 0) { List<String> matchingPrincipals = new ArrayList<String>(); for (String principal : principals) { if (pattern.matcher(principal).matches()) { matchingPrincipals.add(principal); } } principals = matchingPrincipals.toArray(new String[0]); } return principals; } > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > ---------------------------------------------------------------------------------- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg > Affects Versions: 0.7-incubating, 0.8-incubating > Reporter: Madhan Neethiraj > Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hiveserver2-site.xml, hive-site.xml, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)