[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863978#comment-15863978 ]
Greg Senia commented on ATLAS-1546: ----------------------------------- [~nixonrodrigues] Add new check to see if keytab exists and if it doesn' check for isLoginTicketBased() this should do it I'm going to test with this solution now. CHANGES: notification/src/main/java/org/apache/atlas/hook/AtlasHook.java: + if (!(isLoginKeytabBased())) { + if (isLoginTicketBased()) { + InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", "ticketBased-KafkaClient"); + } + + } + + private static boolean isLoginTicketBased() { + boolean ret = false; + + try { + ret = UserGroupInformation.isLoginTicketBased(); + } catch (Exception excp) { + LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp); + } + + return ret; + } + // ADD KeytaB Check + private static boolean isLoginKeyTabBased() { + boolean ret = false; + + try { + ret = UserGroupInformation.isLoginKeytabBased(); + } catch (Exception excp) { + LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp); + } + + return ret; + } + > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > ---------------------------------------------------------------------------------- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg > Affects Versions: 0.7-incubating, 0.8-incubating > Reporter: Madhan Neethiraj > Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hiveserver2-site.xml, hive-site.xml, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)