Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Tue, 06 Jun 2017 08:22:17 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review177045
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Levas


On June 1, 2017, 1:04 a.m., Vishal Suvagia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> -----------------------------------------------------------
> 
> (Updated June 1, 2017, 1:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
>     https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
> PRE-CREATION 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1610bb5 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  1cdd184 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> 3e7e3d7 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/1/
> 
> 
> Testing
> -------
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Reply via email to