[jira] [Commented] (HIVE-13384) Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled
[ https://issues.apache.org/jira/browse/HIVE-13384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500443#comment-17500443 ] Bo Cui commented on HIVE-13384: --- I think it's better to solve the issue from HiveMetaStoreClient, WDYT?:) > Failed to create HiveMetaStoreClient object with proxy user when Kerberos > enabled > - > > Key: HIVE-13384 > URL: https://issues.apache.org/jira/browse/HIVE-13384 > Project: Hive > Issue Type: Improvement > Components: Metastore >Affects Versions: 1.2.0, 1.2.1 >Reporter: Bing Li >Assignee: Bing Li >Priority: Major > Labels: pull-request-available > Time Spent: 0.5h > Remaining Estimate: 0h > > I wrote a Java client to talk with HiveMetaStore. (Hive 1.2.0) > But found that it can't new a HiveMetaStoreClient object successfully via a > proxy user in Kerberos env. > === > 15/10/13 00:14:38 ERROR transport.TSaslTransport: SASL negotiation failure > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt)] > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) > at > org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) > == > When I debugging on Hive, I found that the error came from open() method in > HiveMetaStoreClient class. > Around line 406, > transport = UserGroupInformation.getCurrentUser().doAs(new > PrivilegedExceptionAction() { //FAILED, because the current user > doesn't have the cridential > But it will work if I change above line to > transport = UserGroupInformation.getCurrentUser().getRealUser().doAs(new > PrivilegedExceptionAction() { //PASS > I found DRILL-3413 fixes this error in Drill side as a workaround. But if I > submit a mapreduce job via Pig/HCatalog, it runs into the same issue again > when initialize the object via HCatalog. > It would be better to fix this issue in Hive side. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (HIVE-15579) Support HADOOP_PROXY_USER for secure impersonation in hive metastore client
[ https://issues.apache.org/jira/browse/HIVE-15579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499418#comment-17499418 ] Bo Cui edited comment on HIVE-15579 at 3/1/22, 9:50 AM: hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. https://github.com/apache/hive/blob/bf69b32c878c0d53f242cc38b6634c8ee4346e76/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java#L243 UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` was (Author: bo cui): hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. !image-2022-03-01-17-45-03-213.png! UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` > Support HADOOP_PROXY_USER for secure impersonation in hive metastore client > --- > > Key: HIVE-15579 > URL: https://issues.apache.org/jira/browse/HIVE-15579 > Project: Hive > Issue Type: Bug >Reporter: Thejas Nair >Assignee: Nandakumar >Priority: Major > Labels: TODOC2.2 > Fix For: 2.3.0 > > Attachments: HIVE-15579.000.patch, HIVE-15579.001.patch, > HIVE-15579.002.patch, HIVE-15579.003.patch, HIVE-15579.003.patch > > > Hadoop clients support HADOOP_PROXY_USER for secure impersonation. It would > be useful to have similar feature for hive metastore client. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (HIVE-15579) Support HADOOP_PROXY_USER for secure impersonation in hive metastore client
[ https://issues.apache.org/jira/browse/HIVE-15579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499418#comment-17499418 ] Bo Cui commented on HIVE-15579: --- hi [~nanda] [~thejas] Why is RealUser called? In most cases, the LoginUser's RealUser is null. !image-2022-03-01-17-45-03-213.png! UserGroupInformation ugi = UserGroupInformation.createProxyUser(proxyUserA, realUserB ) i think proxyUserA is `UserGroupInformation.getCurrentUser()` and realUserB is `UserGroupInformation.getCurrentUser().getRealUser()` > Support HADOOP_PROXY_USER for secure impersonation in hive metastore client > --- > > Key: HIVE-15579 > URL: https://issues.apache.org/jira/browse/HIVE-15579 > Project: Hive > Issue Type: Bug >Reporter: Thejas Nair >Assignee: Nandakumar >Priority: Major > Labels: TODOC2.2 > Fix For: 2.3.0 > > Attachments: HIVE-15579.000.patch, HIVE-15579.001.patch, > HIVE-15579.002.patch, HIVE-15579.003.patch, HIVE-15579.003.patch > > > Hadoop clients support HADOOP_PROXY_USER for secure impersonation. It would > be useful to have similar feature for hive metastore client. -- This message was sent by Atlassian Jira (v8.20.1#820001)