[jira] [Commented] (HIVE-13384) Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled
[
https://issues.apache.org/jira/browse/HIVE-13384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500443#comment-17500443
]
Bo Cui commented on HIVE-13384:
---
I think it's better to solve the issue from HiveMetaStoreClient, WDYT?:)
> Failed to create HiveMetaStoreClient object with proxy user when Kerberos
> enabled
> -
>
> Key: HIVE-13384
> URL: https://issues.apache.org/jira/browse/HIVE-13384
> Project: Hive
> Issue Type: Improvement
> Components: Metastore
>Affects Versions: 1.2.0, 1.2.1
>Reporter: Bing Li
>Assignee: Bing Li
>Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> I wrote a Java client to talk with HiveMetaStore. (Hive 1.2.0)
> But found that it can't new a HiveMetaStoreClient object successfully via a
> proxy user in Kerberos env.
> ===
> 15/10/13 00:14:38 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
> at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> ==
> When I debugging on Hive, I found that the error came from open() method in
> HiveMetaStoreClient class.
> Around line 406,
> transport = UserGroupInformation.getCurrentUser().doAs(new
> PrivilegedExceptionAction() { //FAILED, because the current user
> doesn't have the cridential
> But it will work if I change above line to
> transport = UserGroupInformation.getCurrentUser().getRealUser().doAs(new
> PrivilegedExceptionAction() { //PASS
> I found DRILL-3413 fixes this error in Drill side as a workaround. But if I
> submit a mapreduce job via Pig/HCatalog, it runs into the same issue again
> when initialize the object via HCatalog.
> It would be better to fix this issue in Hive side.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Comment Edited] (HIVE-15579) Support HADOOP_PROXY_USER for secure impersonation in hive metastore client
[ https://issues.apache.org/jira/browse/HIVE-15579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499418#comment-17499418 ] Bo Cui edited comment on HIVE-15579 at 3/1/22, 9:50 AM: hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. https://github.com/apache/hive/blob/bf69b32c878c0d53f242cc38b6634c8ee4346e76/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java#L243 UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` was (Author: bo cui): hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. !image-2022-03-01-17-45-03-213.png! UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` > Support HADOOP_PROXY_USER for secure impersonation in hive metastore client > --- > > Key: HIVE-15579 > URL: https://issues.apache.org/jira/browse/HIVE-15579 > Project: Hive > Issue Type: Bug >Reporter: Thejas Nair >Assignee: Nandakumar >Priority: Major > Labels: TODOC2.2 > Fix For: 2.3.0 > > Attachments: HIVE-15579.000.patch, HIVE-15579.001.patch, > HIVE-15579.002.patch, HIVE-15579.003.patch, HIVE-15579.003.patch > > > Hadoop clients support HADOOP_PROXY_USER for secure impersonation. It would > be useful to have similar feature for hive metastore client. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (HIVE-15579) Support HADOOP_PROXY_USER for secure impersonation in hive metastore client
[ https://issues.apache.org/jira/browse/HIVE-15579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499418#comment-17499418 ] Bo Cui commented on HIVE-15579: --- hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. !image-2022-03-01-17-45-03-213.png! UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` > Support HADOOP_PROXY_USER for secure impersonation in hive metastore client > --- > > Key: HIVE-15579 > URL: https://issues.apache.org/jira/browse/HIVE-15579 > Project: Hive > Issue Type: Bug >Reporter: Thejas Nair >Assignee: Nandakumar >Priority: Major > Labels: TODOC2.2 > Fix For: 2.3.0 > > Attachments: HIVE-15579.000.patch, HIVE-15579.001.patch, > HIVE-15579.002.patch, HIVE-15579.003.patch, HIVE-15579.003.patch > > > Hadoop clients support HADOOP_PROXY_USER for secure impersonation. It would > be useful to have similar feature for hive metastore client. -- This message was sent by Atlassian Jira (v8.20.1#820001)
