[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15874451#comment-15874451 ] Keval Bhatt edited comment on ATLAS-1546 at 2/20/17 12:30 PM: -- +1 for the ATLAS-1546.4.patch was (Author: kevalbhatt18): +1 for the patch ATLAS-1546.4.patch > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > -- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg >Affects Versions: 0.7-incubating, 0.8-incubating >Reporter: Madhan Neethiraj >Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.2.patch, > ATLAS-1546.3.patch, ATLAS-1546.4.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hiveserver2-site.xml, hive-site.xml, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863318#comment-15863318 ] Nixon Rodrigues edited comment on ATLAS-1546 at 2/13/17 8:36 AM: - [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created Atlas end. Also tested HiveCli and it is also working fine and entities are getting created Atlas end. Tested this with hive_test user, this user was created with below steps {noformat} useradd hive_test hadoop fs -mkdir /user/hive_test hadoop fs -chown hive_test /user/hive_test {noformat} and principal hive_test, created with below steps {noformat} kadmin.local addprinc hive_test/hive_test/dom...@example.com kinit hive_test/dom...@example.com {noformat} was (Author: nixonrodrigues): [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created Atlas end. Also tested HiveCli and it is also working fine and entities are getting created Atlas end. > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > -- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg >Affects Versions: 0.7-incubating, 0.8-incubating >Reporter: Madhan Neethiraj >Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863318#comment-15863318 ] Nixon Rodrigues edited comment on ATLAS-1546 at 2/13/17 8:39 AM: - [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created Atlas end. Also tested HiveCli and it is also working fine and entities are getting created Atlas end. Tested this with *hive_test* user, this user was created with below steps {noformat} useradd hive_test hadoop fs -mkdir /user/hive_test hadoop fs -chown hive_test /user/hive_test {noformat} and principal *hive_test*, created with below steps {noformat} kadmin.local addprinc hive_test/dom...@example.com exit and then kinit kinit hive_test/dom...@example.com {noformat} was (Author: nixonrodrigues): [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created Atlas end. Also tested HiveCli and it is also working fine and entities are getting created Atlas end. Tested this with hive_test user, this user was created with below steps {noformat} useradd hive_test hadoop fs -mkdir /user/hive_test hadoop fs -chown hive_test /user/hive_test {noformat} and principal hive_test, created with below steps {noformat} kadmin.local addprinc hive_test/hive_test/dom...@example.com kinit hive_test/dom...@example.com {noformat} > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > -- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg >Affects Versions: 0.7-incubating, 0.8-incubating >Reporter: Madhan Neethiraj >Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863318#comment-15863318 ] Nixon Rodrigues edited comment on ATLAS-1546 at 2/13/17 9:02 AM: - [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created at Atlas end. Also tested HiveCli with doAs = true and it is also working fine and entities are getting created at Atlas end. Tested this with *hive_test* user, this user was created with below steps {noformat} useradd hive_test hadoop fs -mkdir /user/hive_test hadoop fs -chown hive_test /user/hive_test {noformat} and principal *hive_test*, created with below steps {noformat} kadmin.local addprinc hive_test/dom...@example.com exit and then kinit kinit hive_test/dom...@example.com {noformat} was (Author: nixonrodrigues): [~gss2002],[~madhan.neethiraj], I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true and tables are created in hive and entities are getting created Atlas end. Also tested HiveCli and it is also working fine and entities are getting created Atlas end. Tested this with *hive_test* user, this user was created with below steps {noformat} useradd hive_test hadoop fs -mkdir /user/hive_test hadoop fs -chown hive_test /user/hive_test {noformat} and principal *hive_test*, created with below steps {noformat} kadmin.local addprinc hive_test/dom...@example.com exit and then kinit kinit hive_test/dom...@example.com {noformat} > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > -- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg >Affects Versions: 0.7-incubating, 0.8-incubating >Reporter: Madhan Neethiraj >Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
[ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862279#comment-15862279 ] Greg Senia edited comment on ATLAS-1546 at 2/11/17 7:24 AM: [~madhan.neethiraj] nope not unless ambari does it under the covers.. But just checked including lsof and ps guaxwwe to grab enviro [root@ha21t55mn t93kd9i]# su - hive Last login: Fri Feb 10 20:29:36 EST 2017 [hive@ha21t55mn ~]$ klist klist: Credentials cache file '/tmp/krb5cc_80009' not found -rw---. 1 gss2003 domain users 1846 Jan 31 13:22 krb5cc_190186246 -rw---. 1 gss2002 domain users 1840 Feb 10 17:48 krb5cc_190177540_aM8cGE -rw---. 1 hbase hadoop870 Feb 10 18:34 krb5cc_80006 -rw---. 1 kafka hadoop 1002 Feb 10 18:34 krb5cc_80026 -rw---. 1 hdfs hadoop 2064 Feb 10 20:29 krb5cc_80008 -rw---. 1 gss2002 domain users 1789 Feb 11 02:09 krb5cc_190177540_ucndn5QWLm -rw---. 1 ambari-qa hadoop886 Feb 11 02:11 krb5cc_80001 was (Author: gss2002): nope not unless ambari does it under the covers.. But just checked including lsof and ps guaxwwe to grab enviro [root@ha21t55mn t93kd9i]# su - hive Last login: Fri Feb 10 20:29:36 EST 2017 [hive@ha21t55mn ~]$ klist klist: Credentials cache file '/tmp/krb5cc_80009' not found -rw---. 1 gss2003 domain users 1846 Jan 31 13:22 krb5cc_190186246 -rw---. 1 gss2002 domain users 1840 Feb 10 17:48 krb5cc_190177540_aM8cGE -rw---. 1 hbase hadoop870 Feb 10 18:34 krb5cc_80006 -rw---. 1 kafka hadoop 1002 Feb 10 18:34 krb5cc_80026 -rw---. 1 hdfs hadoop 2064 Feb 10 20:29 krb5cc_80008 -rw---. 1 gss2002 domain users 1789 Feb 11 02:09 krb5cc_190177540_ucndn5QWLm -rw---. 1 ambari-qa hadoop886 Feb 11 02:11 krb5cc_80001 > Hive hook should choose appropriate JAAS config if host uses kerberos > ticket-cache > -- > > Key: ATLAS-1546 > URL: https://issues.apache.org/jira/browse/ATLAS-1546 > Project: Atlas > Issue Type: Improvement > Components: atlas-intg >Affects Versions: 0.7-incubating, 0.8-incubating >Reporter: Madhan Neethiraj >Assignee: Nixon Rodrigues > Fix For: 0.8-incubating > > Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, > hiveserver2_log.txt, hs2.log.gz > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section. -- This message was sent by Atlassian JIRA (v6.3.15#6346)