[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[
https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Saisai Shao reassigned SPARK-18061:
---
Assignee: Saisai Shao
> Spark Thriftserver needs to create SPNego principal
> ---
>
> Key: SPARK-18061
> URL: https://issues.apache.org/jira/browse/SPARK-18061
> Project: Spark
> Issue Type: Bug
> Components: SQL
>Affects Versions: 1.6.1, 2.0.1
>Reporter: Chandana Mirashi
>Assignee: Saisai Shao
> Fix For: 2.3.0
>
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a
> 401 authentication error when receiving beeline HTTP request (with end user
> as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and
> SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf);
> this.serviceUGI = Utils.getUGI();
> } catch (IOException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> } catch (LoginException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> }
> // Also try creating a UGI object for the SPNego principal
> String principal =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
> String keyTabFile =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
> if (principal.isEmpty() || keyTabFile.isEmpty()) {
> LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
> ", ketabFile: " + keyTabFile);
> } else {
> try {
> this.httpUGI =
> HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
> LOG.info("SPNego httpUGI successfully created.");
> } catch (IOException e) {
> LOG.warn("SPNego httpUGI creation failed: ", e);
> }
> }
> }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf)
> sparkServiceUGI = Utils.getUGI()
> setSuperField(this, "serviceUGI", sparkServiceUGI)
> } catch {
> case e @ (_: IOException | _: LoginException) =>
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e)
> }
> }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[
https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Apache Spark reassigned SPARK-18061:
Assignee: (was: Apache Spark)
> Spark Thriftserver needs to create SPNego principal
> ---
>
> Key: SPARK-18061
> URL: https://issues.apache.org/jira/browse/SPARK-18061
> Project: Spark
> Issue Type: Bug
> Components: SQL
>Affects Versions: 1.6.1, 2.0.1
>Reporter: Chandana Mirashi
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a
> 401 authentication error when receiving beeline HTTP request (with end user
> as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and
> SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf);
> this.serviceUGI = Utils.getUGI();
> } catch (IOException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> } catch (LoginException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> }
> // Also try creating a UGI object for the SPNego principal
> String principal =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
> String keyTabFile =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
> if (principal.isEmpty() || keyTabFile.isEmpty()) {
> LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
> ", ketabFile: " + keyTabFile);
> } else {
> try {
> this.httpUGI =
> HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
> LOG.info("SPNego httpUGI successfully created.");
> } catch (IOException e) {
> LOG.warn("SPNego httpUGI creation failed: ", e);
> }
> }
> }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf)
> sparkServiceUGI = Utils.getUGI()
> setSuperField(this, "serviceUGI", sparkServiceUGI)
> } catch {
> case e @ (_: IOException | _: LoginException) =>
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e)
> }
> }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal
[
https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Apache Spark reassigned SPARK-18061:
Assignee: Apache Spark
> Spark Thriftserver needs to create SPNego principal
> ---
>
> Key: SPARK-18061
> URL: https://issues.apache.org/jira/browse/SPARK-18061
> Project: Spark
> Issue Type: Bug
> Components: SQL
>Affects Versions: 1.6.1, 2.0.1
>Reporter: Chandana Mirashi
>Assignee: Apache Spark
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a
> 401 authentication error when receiving beeline HTTP request (with end user
> as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and
> SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf);
> this.serviceUGI = Utils.getUGI();
> } catch (IOException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> } catch (LoginException e) {
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e);
> }
> // Also try creating a UGI object for the SPNego principal
> String principal =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
> String keyTabFile =
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
> if (principal.isEmpty() || keyTabFile.isEmpty()) {
> LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
> ", ketabFile: " + keyTabFile);
> } else {
> try {
> this.httpUGI =
> HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
> LOG.info("SPNego httpUGI successfully created.");
> } catch (IOException e) {
> LOG.warn("SPNego httpUGI creation failed: ", e);
> }
> }
> }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf)
> sparkServiceUGI = Utils.getUGI()
> setSuperField(this, "serviceUGI", sparkServiceUGI)
> } catch {
> case e @ (_: IOException | _: LoginException) =>
> throw new ServiceException("Unable to login to kerberos with given
> principal/keytab", e)
> }
> }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
