Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Wed, 31 May 2017 21:03:49 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/
-----------------------------------------------------------

Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan Neethiraj, 
Mugdha Varadkar, and Sumit Mohanty.


Bugs: AMBARI-21154
    https://issues.apache.org/jira/browse/AMBARI-21154


Repository: ambari


Description
-------

In a kerberized environment, Atlas hook uses JAAS configuration section named 
"KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
this configuration section is set to use the keytab and principal of 
HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should 
use the ticket-cache generated by kinit. When ticket cache is not available 
(for example in HiveServer2), the hook should use the configuration provided in 
KafkaClient JAAS section

As a solution need to add below in hive atlas-application.properties by default 
if atlas-hive hook is enabled in secure mode

atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true


Diffs
-----

  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
a29f74b 
  
ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
 8c659ee 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
3054ca3 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
PRE-CREATION 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
1610bb5 
  
ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
 1cdd184 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
3e7e3d7 


Diff: https://reviews.apache.org/r/59701/diff/1/


Testing
-------

Verified fresh install and upgrade on Cent-OS-6.


Thanks,

Vishal Suvagia

Reply via email to