[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[ https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Saisai Shao reassigned SPARK-18061: --- Assignee: Saisai Shao > Spark Thriftserver needs to create SPNego principal > --- > > Key: SPARK-18061 > URL: https://issues.apache.org/jira/browse/SPARK-18061 > Project: Spark > Issue Type: Bug > Components: SQL >Affects Versions: 1.6.1, 2.0.1 >Reporter: Chandana Mirashi >Assignee: Saisai Shao > Fix For: 2.3.0 > > > Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a > 401 authentication error when receiving beeline HTTP request (with end user > as kerberos principal). The similar command works with Hive Thriftserver. > What we find is Hive thriftserver CLI service creates both hive service and > SPNego principal when kerberos is enabled whereas Spark Thriftserver > only creates hive service principal. > {code:title=CLIService.java|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled()) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf); > this.serviceUGI = Utils.getUGI(); > } catch (IOException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } catch (LoginException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } > // Also try creating a UGI object for the SPNego principal > String principal = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL); > String keyTabFile = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB); > if (principal.isEmpty() || keyTabFile.isEmpty()) { > LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal + > ", ketabFile: " + keyTabFile); > } else { > try { > this.httpUGI = > HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf); > LOG.info("SPNego httpUGI successfully created."); > } catch (IOException e) { > LOG.warn("SPNego httpUGI creation failed: ", e); > } > } > } > {code} > {code:title=SparkSQLCLIService.scala|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf) > sparkServiceUGI = Utils.getUGI() > setSuperField(this, "serviceUGI", sparkServiceUGI) > } catch { > case e @ (_: IOException | _: LoginException) => > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e) > } > } > {code} > The patch will add missing SPNego principal to Spark Thriftserver. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[ https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Apache Spark reassigned SPARK-18061: Assignee: (was: Apache Spark) > Spark Thriftserver needs to create SPNego principal > --- > > Key: SPARK-18061 > URL: https://issues.apache.org/jira/browse/SPARK-18061 > Project: Spark > Issue Type: Bug > Components: SQL >Affects Versions: 1.6.1, 2.0.1 >Reporter: Chandana Mirashi > > Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a > 401 authentication error when receiving beeline HTTP request (with end user > as kerberos principal). The similar command works with Hive Thriftserver. > What we find is Hive thriftserver CLI service creates both hive service and > SPNego principal when kerberos is enabled whereas Spark Thriftserver > only creates hive service principal. > {code:title=CLIService.java|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled()) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf); > this.serviceUGI = Utils.getUGI(); > } catch (IOException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } catch (LoginException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } > // Also try creating a UGI object for the SPNego principal > String principal = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL); > String keyTabFile = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB); > if (principal.isEmpty() || keyTabFile.isEmpty()) { > LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal + > ", ketabFile: " + keyTabFile); > } else { > try { > this.httpUGI = > HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf); > LOG.info("SPNego httpUGI successfully created."); > } catch (IOException e) { > LOG.warn("SPNego httpUGI creation failed: ", e); > } > } > } > {code} > {code:title=SparkSQLCLIService.scala|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf) > sparkServiceUGI = Utils.getUGI() > setSuperField(this, "serviceUGI", sparkServiceUGI) > } catch { > case e @ (_: IOException | _: LoginException) => > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e) > } > } > {code} > The patch will add missing SPNego principal to Spark Thriftserver. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[ https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Apache Spark reassigned SPARK-18061: Assignee: Apache Spark > Spark Thriftserver needs to create SPNego principal > --- > > Key: SPARK-18061 > URL: https://issues.apache.org/jira/browse/SPARK-18061 > Project: Spark > Issue Type: Bug > Components: SQL >Affects Versions: 1.6.1, 2.0.1 >Reporter: Chandana Mirashi >Assignee: Apache Spark > > Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a > 401 authentication error when receiving beeline HTTP request (with end user > as kerberos principal). The similar command works with Hive Thriftserver. > What we find is Hive thriftserver CLI service creates both hive service and > SPNego principal when kerberos is enabled whereas Spark Thriftserver > only creates hive service principal. > {code:title=CLIService.java|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled()) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf); > this.serviceUGI = Utils.getUGI(); > } catch (IOException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } catch (LoginException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } > // Also try creating a UGI object for the SPNego principal > String principal = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL); > String keyTabFile = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB); > if (principal.isEmpty() || keyTabFile.isEmpty()) { > LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal + > ", ketabFile: " + keyTabFile); > } else { > try { > this.httpUGI = > HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf); > LOG.info("SPNego httpUGI successfully created."); > } catch (IOException e) { > LOG.warn("SPNego httpUGI creation failed: ", e); > } > } > } > {code} > {code:title=SparkSQLCLIService.scala|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf) > sparkServiceUGI = Utils.getUGI() > setSuperField(this, "serviceUGI", sparkServiceUGI) > } catch { > case e @ (_: IOException | _: LoginException) => > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e) > } > } > {code} > The patch will add missing SPNego principal to Spark Thriftserver. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org