subject:"Re\: Review Request 59701\: AMBARI\-21154 \: Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket\-cache"

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-25 Thread Mugdha Varadkar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review178859
---


Ship it!




Ship It!

- Mugdha Varadkar


On June 23, 2017, 1:04 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 23, 2017, 1:04 p.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> The attached patch is for trunk branch, patch for branch-2.5 is attached to 
> Apache Jira
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
>  6d3e13d 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
> f8bbca5 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1cbd78b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  ede267a 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> b70943b 
>   ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py 
> d4d28c9 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/3/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-23 Thread Robert Levas


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review178795
---


Ship it!




Ship It!

- Robert Levas


On June 23, 2017, 9:04 a.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 23, 2017, 9:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> The attached patch is for trunk branch, patch for branch-2.5 is attached to 
> Apache Jira
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
>  6d3e13d 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
> f8bbca5 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1cbd78b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  ede267a 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> b70943b 
>   ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py 
> d4d28c9 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/3/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-23 Thread Vishal Suvagia via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/
---

(Updated June 23, 2017, 1:04 p.m.)


Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan Neethiraj, 
Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.


Bugs: AMBARI-21154
https://issues.apache.org/jira/browse/AMBARI-21154


Repository: ambari


Description
---

In a kerberized environment, Atlas hook uses JAAS configuration section named 
"KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
this configuration section is set to use the keytab and principal of 
HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should 
use the ticket-cache generated by kinit. When ticket cache is not available 
(for example in HiveServer2), the hook should use the configuration provided in 
KafkaClient JAAS section

As a solution need to add below in hive atlas-application.properties by default 
if atlas-hive hook is enabled in secure mode

atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true

The attached patch is for trunk branch, patch for branch-2.5 is attached to 
Apache Jira


Diffs (updated)
-

  
ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
 6d3e13d 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
a29f74b 
  
ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
 8c659ee 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
3054ca3 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
f8bbca5 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
1cbd78b 
  
ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
 ede267a 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
b70943b 
  ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py d4d28c9 


Diff: https://reviews.apache.org/r/59701/diff/3/

Changes: https://reviews.apache.org/r/59701/diff/2-3/


Testing
---

Verified fresh install and upgrade on Cent-OS-6.


Thanks,

Vishal Suvagia

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-23 Thread Vishal Suvagia via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/
---

(Updated June 23, 2017, 12:44 p.m.)


Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan Neethiraj, 
Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.


Changes
---

Patch for branch-2.5 is attached to Apache JIRA


Bugs: AMBARI-21154
https://issues.apache.org/jira/browse/AMBARI-21154


Repository: ambari


Description (updated)
---

In a kerberized environment, Atlas hook uses JAAS configuration section named 
"KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
this configuration section is set to use the keytab and principal of 
HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should 
use the ticket-cache generated by kinit. When ticket cache is not available 
(for example in HiveServer2), the hook should use the configuration provided in 
KafkaClient JAAS section

As a solution need to add below in hive atlas-application.properties by default 
if atlas-hive hook is enabled in secure mode

atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true

The attached patch is for trunk branch, patch for branch-2.5 is attached to 
Apache Jira


Diffs
-

  
ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
 6d3e13d 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
a29f74b 
  
ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
 8c659ee 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
3054ca3 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
f8bbca5 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
1cbd78b 
  
ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
 ede267a 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
b70943b 
  ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py d4d28c9 


Diff: https://reviews.apache.org/r/59701/diff/2/


Testing
---

Verified fresh install and upgrade on Cent-OS-6.


Thanks,

Vishal Suvagia

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-23 Thread Vishal Suvagia via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/
---

(Updated June 23, 2017, 12:38 p.m.)


Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan Neethiraj, 
Mugdha Varadkar, Nixon Rodrigues, Robert Levas, and Sumit Mohanty.


Changes
---

Updated patch to change approach by removing kerberos.json and adding required 
parameters in stack-advisor logic.


Bugs: AMBARI-21154
https://issues.apache.org/jira/browse/AMBARI-21154


Repository: ambari


Description
---

In a kerberized environment, Atlas hook uses JAAS configuration section named 
"KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
this configuration section is set to use the keytab and principal of 
HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should 
use the ticket-cache generated by kinit. When ticket cache is not available 
(for example in HiveServer2), the hook should use the configuration provided in 
KafkaClient JAAS section

As a solution need to add below in hive atlas-application.properties by default 
if atlas-hive hook is enabled in secure mode

atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true


Diffs (updated)
-

  
ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/service_advisor.py
 6d3e13d 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
a29f74b 
  
ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
 8c659ee 
  ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
3054ca3 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py 
f8bbca5 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
1cbd78b 
  
ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
 ede267a 
  ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
b70943b 
  ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py d4d28c9 


Diff: https://reviews.apache.org/r/59701/diff/2/

Changes: https://reviews.apache.org/r/59701/diff/1-2/


Testing
---

Verified fresh install and upgrade on Cent-OS-6.


Thanks,

Vishal Suvagia

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-06 Thread Mugdha Varadkar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review177146
---




ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json
Lines 31 (patched)


This will be required in trunk branch in 
https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/resources/common-services/HIVE/2.1.0.3.0/kerberos.json
 for stack 3.0


- Mugdha Varadkar


On June 1, 2017, 5:04 a.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 1, 2017, 5:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> 
> Diffs
> -
> 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
> PRE-CREATION 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1610bb5 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  1cdd184 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> 3e7e3d7 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/1/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-06 Thread Alejandro Fernandez


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review177049
---


Ship it!




Ship It!

- Alejandro Fernandez


On June 1, 2017, 5:04 a.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 1, 2017, 5:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> 
> Diffs
> -
> 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
> PRE-CREATION 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1610bb5 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  1cdd184 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> 3e7e3d7 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/1/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-06 Thread Robert Levas


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review177045
---


Ship it!




Ship It!

- Robert Levas


On June 1, 2017, 1:04 a.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 1, 2017, 1:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> 
> Diffs
> -
> 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
> PRE-CREATION 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1610bb5 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  1cdd184 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> 3e7e3d7 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/1/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

2017-06-01 Thread Mugdha Varadkar


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59701/#review176733
---


Ship it!




Ship It!

- Mugdha Varadkar


On June 1, 2017, 5:04 a.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59701/
> ---
> 
> (Updated June 1, 2017, 5:04 a.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Gautam Borad, Madhan 
> Neethiraj, Mugdha Varadkar, Nixon Rodrigues, and Sumit Mohanty.
> 
> 
> Bugs: AMBARI-21154
> https://issues.apache.org/jira/browse/AMBARI-21154
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> 
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section
> 
> As a solution need to add below in hive atlas-application.properties by 
> default if atlas-hive hook is enabled in secure mode
> 
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> 
> 
> Diffs
> -
> 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml 
> a29f74b 
>   
> ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
>  8c659ee 
>   ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml 
> 3054ca3 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/HIVE/kerberos.json 
> PRE-CREATION 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/config-upgrade.xml 
> 1610bb5 
>   
> ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/nonrolling-upgrade-2.6.xml
>  1cdd184 
>   ambari-server/src/main/resources/stacks/HDP/2.6/upgrades/upgrade-2.6.xml 
> 3e7e3d7 
> 
> 
> Diff: https://reviews.apache.org/r/59701/diff/1/
> 
> 
> Testing
> ---
> 
> Verified fresh install and upgrade on Cent-OS-6.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Re: Review Request 59701: AMBARI-21154 : Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

9 matches

Site Navigation

Mail list logo

Footer information