[
https://issues.apache.org/jira/browse/HIVE-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14587091#comment-14587091
]
Josh Elser commented on HIVE-11010:
---
Thanks for filing this. Was doing some debugging with [~taksaito] with the
AccumuloStorageHandler -- loaded some data in both HBase and Accumulo, ran some
Hive queries against both and found that when we ran the Accumulo queries via
hiveserver (but not in the local client) both the queries would fail on the RPC
handshakes. Short story, AccumuloStorageHandler queries with Kerberos on don't
work with HiveServer2.
I think what was happening is that the additions to the AccumuloStorageHandler
in HIVE-10857 don't work as expected because HS2 is going to be running with
its own Kerberos credentials. I think we need to change how we set up the
credentials inside of AccumuloStorageHandler so that it will work regardless of
a local hive client or hs2 -- running a doAs with a PROXY instead of replacing
the HS2 credentials.
The second half is that we'd need to make sure Accumulo itself is configured to
allow HS2 to proxy on behalf of users -- not relevant for Hive code, but
something to document for users to set up in Accumulo.
> Accumulo storage handler queries via HS2 fail
> -
>
> Key: HIVE-11010
> URL: https://issues.apache.org/jira/browse/HIVE-11010
> Project: Hive
> Issue Type: Bug
> Components: Hive
>Affects Versions: 1.2.0, 1.2.1
> Environment: Secure
>Reporter: Takahiko Saito
>Assignee: Josh Elser
> Fix For: 1.2.1
>
>
> On Kerberized cluster, accumulo storage handler throws an error,
> "[usrname]@[principlaname] is not allowed to impersonate [username]"
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)