[jira] [Commented] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization

Tue, 30 Jul 2019 02:06:13 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16895934#comment-16895934
 ] 

Adam Szita commented on HIVE-21922:
-----------------------------------

After consulting with other folks, it looks like this change is not desirable. 
In Hadoop world we're abusing Kerberos entities i.e. hive/host1@realm and 
hive/host2@realm are interpreted by UGI as the same Hive user. Still we need 
different principals per host so that LDAP doesn't revoke permissions due to 
frequent renewals seen across the cluster if one principal is used for Hive 
only.

Thus marking this change as resolved.

> Allow keytabs to be reused in LLAP yarn applications through Yarn localization
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-21922
>                 URL: https://issues.apache.org/jira/browse/HIVE-21922
>             Project: Hive
>          Issue Type: New Feature
>            Reporter: Adam Szita
>            Assignee: Adam Szita
>            Priority: Major
>         Attachments: HIVE-21922.0.patch, HIVE-21922.1.patch, 
> HIVE-21922.2.patch
>
>
> In secure clusters LLAP has to be able to reach keytab files for kerberos 
> login.
> Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and 
> _hive.llap.daemon.keytab.file_ configs are used to define the path of such 
> keytabs on the Tez AM and LLAP daemon side respectively. Both presume local 
> file system paths only - hence all nodes in the LLAP cluster (even those that 
> eventually don't end up executing a daemon...) have to have Hive's keytab 
> preinstalled on them.
> The above is described by this strategy: 
> [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers]
> Another approach can be 
> [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN]
>  where we rely on HDFS and Yarn resource localization, and no prior keytab 
> distribution is required. I intend to make this strategy an option for 
> Hive-LLAP in this jira.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to