ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vishal Suvagia (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-21154) Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache
Date Fri, 23 Jun 2017 12:28:00 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-21154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Vishal Suvagia updated AMBARI-21154:
------------------------------------
    Attachment: AMBARI-21154-branch-2.5.patch
                AMBARI-21154-trunk.patch

> Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache
> --------------------------------------------------------------------------------------
>
>                 Key: AMBARI-21154
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21154
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.5.1
>            Reporter: Vishal Suvagia
>            Assignee: Vishal Suvagia
>            Priority: Minor
>             Fix For: 2.5.2
>
>         Attachments: AMBARI-21154-branch-2.5.patch, AMBARI-21154.patch, AMBARI-21154-trunk.patch
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named "KakfaClient"
to authenticate with Kafka broker. In a typical Hive deployment this configuration section
is set to use the keytab and principal of HiveServer2 process. The hook running in HiveCLI
might fail to authenticate with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI should use the
ticket-cache generated by kinit. When ticket cache is not available (for example in HiveServer2),
the hook should use the configuration provided in KafkaClient JAAS section
> As a solution need to add below in {{hive atlas-application.properties}} by default if
atlas-hive hook is enabled in secure mode
> {code:none}
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message