[
https://issues.apache.org/jira/browse/HIVE-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918615#action_12918615
]
Todd Lipcon commented on HIVE-1696:
-----------------------------------
A few of us had a phone call this morning. We briefly discussed a design for
this, summarized below:
- The metastore should make use of the delegation token facilities in Hadoop
Common. The classes in Common are already generic since they're used by both MR
and HDFS for their delegation token types.
- The metastore needs to keep track of active delegation tokens across restarts
- it probably makes sense to use the existing DB backing store for this.
- The metastore thrift API will need a new call, something like: {{binary
getDelegationToken(1: string renewer)}} which returns the opaque token.
- We'll need to make some changes to HadoopThriftAuthBridge from HIVE-842 in
order to support using a delegation token over SASL.
In terms of the use cases above, here are some thoughts on how the delegation
tokens will be used:
h3. MR tasks reporting statistics
When a hive job is submitted, it will first obtain a DT from the hive
metastore. This DT will be passed with the job, either as a private
distributedcache file, or maybe base64-encoded in the jobconf itself. The MR
tasks themselves will then load the token into the UGI before making calls.
This is basically the pattern that normal hadoop MR jobs use to access HDFS
from within a task.
h3. Oozie or Hive Server jobs
Before Oozie or Hive Server forks the child process which actually runs the
job, it will need to obtain a delegation token from the metastore on behalf of
the user running the job. It will then provide this to the child process using
an environment variable or configuration property. In this case, Oozie or the
Hive Server needs to be configured as a "proxy superuser" on the metastore - ie
the oozie/_HOST or hiveserver/_HOST principal is allowed to impersonate other
users in order to grab delegation tokens for them.
> Add delegation token support to metastore
> -----------------------------------------
>
> Key: HIVE-1696
> URL: https://issues.apache.org/jira/browse/HIVE-1696
> Project: Hadoop Hive
> Issue Type: Sub-task
> Components: Metastore
> Reporter: Todd Lipcon
>
> As discussed in HIVE-842, kerberos authentication is only sufficient for
> authentication of a hive user client to the metastore. There are other cases
> where thrift calls need to be authenticated when the caller is running in an
> environment without kerberos credentials. For example, an MR task running as
> part of a hive job may want to report statistics to the metastore, or a job
> may be running within the context of Oozie or Hive Server.
> This JIRA is to implement support of delegation tokens for the metastore. The
> concept of a delegation token is borrowed from the Hadoop security design -
> the quick summary is that a kerberos-authenticated client may retrieve a
> binary token from the server. This token can then be passed to other clients
> which can use it to achieve authentication as the original user in lieu of a
> kerberos ticket.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
