[jira] [Updated] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization
[ https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Szita updated HIVE-21922: -- Resolution: Invalid Status: Resolved (was: Patch Available) > Allow keytabs to be reused in LLAP yarn applications through Yarn localization > -- > > Key: HIVE-21922 > URL: https://issues.apache.org/jira/browse/HIVE-21922 > Project: Hive > Issue Type: New Feature >Reporter: Adam Szita >Assignee: Adam Szita >Priority: Major > Attachments: HIVE-21922.0.patch, HIVE-21922.1.patch, > HIVE-21922.2.patch > > > In secure clusters LLAP has to be able to reach keytab files for kerberos > login. > Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and > _hive.llap.daemon.keytab.file_ configs are used to define the path of such > keytabs on the Tez AM and LLAP daemon side respectively. Both presume local > file system paths only - hence all nodes in the LLAP cluster (even those that > eventually don't end up executing a daemon...) have to have Hive's keytab > preinstalled on them. > The above is described by this strategy: > [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers] > Another approach can be > [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN] > where we rely on HDFS and Yarn resource localization, and no prior keytab > distribution is required. I intend to make this strategy an option for > Hive-LLAP in this jira. -- This message was sent by Atlassian JIRA (v7.6.14#76016)
[jira] [Updated] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization
[ https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Szita updated HIVE-21922: -- Attachment: HIVE-21922.2.patch > Allow keytabs to be reused in LLAP yarn applications through Yarn localization > -- > > Key: HIVE-21922 > URL: https://issues.apache.org/jira/browse/HIVE-21922 > Project: Hive > Issue Type: New Feature >Reporter: Adam Szita >Assignee: Adam Szita >Priority: Major > Attachments: HIVE-21922.0.patch, HIVE-21922.1.patch, > HIVE-21922.2.patch > > > In secure clusters LLAP has to be able to reach keytab files for kerberos > login. > Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and > _hive.llap.daemon.keytab.file_ configs are used to define the path of such > keytabs on the Tez AM and LLAP daemon side respectively. Both presume local > file system paths only - hence all nodes in the LLAP cluster (even those that > eventually don't end up executing a daemon...) have to have Hive's keytab > preinstalled on them. > The above is described by this strategy: > [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers] > Another approach can be > [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN] > where we rely on HDFS and Yarn resource localization, and no prior keytab > distribution is required. I intend to make this strategy an option for > Hive-LLAP in this jira. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization
[ https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Szita updated HIVE-21922: -- Attachment: HIVE-21922.1.patch > Allow keytabs to be reused in LLAP yarn applications through Yarn localization > -- > > Key: HIVE-21922 > URL: https://issues.apache.org/jira/browse/HIVE-21922 > Project: Hive > Issue Type: New Feature >Reporter: Adam Szita >Assignee: Adam Szita >Priority: Major > Attachments: HIVE-21922.0.patch, HIVE-21922.1.patch > > > In secure clusters LLAP has to be able to reach keytab files for kerberos > login. > Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and > _hive.llap.daemon.keytab.file_ configs are used to define the path of such > keytabs on the Tez AM and LLAP daemon side respectively. Both presume local > file system paths only - hence all nodes in the LLAP cluster (even those that > eventually don't end up executing a daemon...) have to have Hive's keytab > preinstalled on them. > The above is described by this strategy: > [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers] > Another approach can be > [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN] > where we rely on HDFS and Yarn resource localization, and no prior keytab > distribution is required. I intend to make this strategy an option for > Hive-LLAP in this jira. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization
[ https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Szita updated HIVE-21922: -- Status: Patch Available (was: Open) > Allow keytabs to be reused in LLAP yarn applications through Yarn localization > -- > > Key: HIVE-21922 > URL: https://issues.apache.org/jira/browse/HIVE-21922 > Project: Hive > Issue Type: New Feature >Reporter: Adam Szita >Assignee: Adam Szita >Priority: Major > Attachments: HIVE-21922.0.patch > > > In secure clusters LLAP has to be able to reach keytab files for kerberos > login. > Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and > _hive.llap.daemon.keytab.file_ configs are used to define the path of such > keytabs on the Tez AM and LLAP daemon side respectively. Both presume local > file system paths only - hence all nodes in the LLAP cluster (even those that > eventually don't end up executing a daemon...) have to have Hive's keytab > preinstalled on them. > The above is described by this strategy: > [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers] > Another approach can be > [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN] > where we rely on HDFS and Yarn resource localization, and no prior keytab > distribution is required. I intend to make this strategy an option for > Hive-LLAP in this jira. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization
[ https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Szita updated HIVE-21922: -- Attachment: HIVE-21922.0.patch > Allow keytabs to be reused in LLAP yarn applications through Yarn localization > -- > > Key: HIVE-21922 > URL: https://issues.apache.org/jira/browse/HIVE-21922 > Project: Hive > Issue Type: New Feature >Reporter: Adam Szita >Assignee: Adam Szita >Priority: Major > Attachments: HIVE-21922.0.patch > > > In secure clusters LLAP has to be able to reach keytab files for kerberos > login. > Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and > _hive.llap.daemon.keytab.file_ configs are used to define the path of such > keytabs on the Tez AM and LLAP daemon side respectively. Both presume local > file system paths only - hence all nodes in the LLAP cluster (even those that > eventually don't end up executing a daemon...) have to have Hive's keytab > preinstalled on them. > The above is described by this strategy: > [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers] > Another approach can be > [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN] > where we rely on HDFS and Yarn resource localization, and no prior keytab > distribution is required. I intend to make this strategy an option for > Hive-LLAP in this jira. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
