[
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863961#comment-15863961
]
Greg Senia commented on ATLAS-1546:
-----------------------------------
[~nixonrodrigues] and [~madhan.neethiraj] seems as if this could be risky
relying on if there is a ticket as all it takes is for the process/JDK to read
in a ticket into UGI and now the process sees a krb ticket and a keytab....
snippit from :
hadoop/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
if (externalKeyTab) {
this.isKeytab = false;
} else {
this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
}
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
}
/**
* Did the login happen via ticket cache
* @return true or false
*/
public static boolean isLoginTicketBased() throws IOException {
return getLoginUser().isKrbTkt;
}
snippit from :
hadoop/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
/**
* Get all the unique principals present in the keytabfile.
*
* @param keytabFileName
* Name of the keytab file to be read.
* @return list of unique principals in the keytab.
* @throws IOException
* If keytab entries cannot be read from the file.
*/
static final String[] getPrincipalNames(String keytabFileName) throws
IOException {
Keytab keytab = Keytab.read(new File(keytabFileName));
Set<String> principals = new HashSet<String>();
List<KeytabEntry> entries = keytab.getEntries();
for (KeytabEntry entry: entries){
principals.add(entry.getPrincipalName().replace("\\", "/"));
}
return principals.toArray(new String[0]);
}
/**
* Get all the unique principals from keytabfile which matches a pattern.
*
* @param keytab Name of the keytab file to be read.
* @param pattern pattern to be matched.
* @return list of unique principals which matches the pattern.
* @throws IOException if cannot get the principal name
*/
public static final String[] getPrincipalNames(String keytab,
Pattern pattern) throws IOException {
String[] principals = getPrincipalNames(keytab);
if (principals.length != 0) {
List<String> matchingPrincipals = new ArrayList<String>();
for (String principal : principals) {
if (pattern.matcher(principal).matches()) {
matchingPrincipals.add(principal);
}
}
principals = matchingPrincipals.toArray(new String[0]);
}
return principals;
}
> Hive hook should choose appropriate JAAS config if host uses kerberos
> ticket-cache
> ----------------------------------------------------------------------------------
>
> Key: ATLAS-1546
> URL: https://issues.apache.org/jira/browse/ATLAS-1546
> Project: Atlas
> Issue Type: Improvement
> Components: atlas-intg
> Affects Versions: 0.7-incubating, 0.8-incubating
> Reporter: Madhan Neethiraj
> Assignee: Nixon Rodrigues
> Fix For: 0.8-incubating
>
> Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro,
> hiveserver2_log.txt, hiveserver2-site.xml, hive-site.xml, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment
> this configuration section is set to use the keytab and principal of
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI
> should use the ticket-cache generated by kinit. When ticket cache is not
> available (for example in HiveServer2), the hook should use the configuration
> provided in KafkaClient JAAS section.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
