[jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Mon, 13 Feb 2017 08:59:53 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863978#comment-15863978
 ] 

Greg Senia commented on ATLAS-1546:
-----------------------------------

[~nixonrodrigues]

Add new check to see if keytab exists and if it doesn' check for 
isLoginTicketBased() this should do it I'm going to test with this solution now.

CHANGES:
notification/src/main/java/org/apache/atlas/hook/AtlasHook.java:
+        if (!(isLoginKeytabBased())) {
+            if (isLoginTicketBased()) {
+              
InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", 
"ticketBased-KafkaClient");
+              }
+
+        }
+

+    private static boolean isLoginTicketBased() {
+        boolean ret = false;
+
+        try {
+            ret = UserGroupInformation.isLoginTicketBased();
+        } catch (Exception excp) {
+            LOG.error("error in determining whether to use ticket-cache or 
keytab for KafkaClient JAAS configuration", excp);
+        }
+
+        return ret;
+    }
+
// ADD KeytaB Check
+    private static boolean isLoginKeyTabBased() {
+        boolean ret = false;
+
+        try {
+            ret = UserGroupInformation.isLoginKeytabBased();
+        } catch (Exception excp) {
+            LOG.error("error in determining whether to use ticket-cache or 
keytab for KafkaClient JAAS configuration", excp);
+        }
+
+        return ret;
+    }
+

> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, 
> hiveserver2_log.txt, hiveserver2-site.xml, hive-site.xml, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to