atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Senia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
Date Sat, 11 Feb 2017 07:17:41 GMT

    [ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15862279#comment-15862279
] 

Greg Senia commented on ATLAS-1546:
-----------------------------------

nope not unless ambari does it under the covers.. But just checked including lsof and ps guaxwwe
to grab enviro

[root@ha21t55mn t93kd9i]# su - hive
Last login: Fri Feb 10 20:29:36 EST 2017
[hive@ha21t55mn ~]$ klist
klist: Credentials cache file '/tmp/krb5cc_80009' not found


-rw-------. 1 gss2003   domain users 1846 Jan 31 13:22 krb5cc_190186246
-rw-------. 1 gss2002   domain users 1840 Feb 10 17:48 krb5cc_190177540_aM8cGE
-rw-------. 1 hbase     hadoop        870 Feb 10 18:34 krb5cc_80006
-rw-------. 1 kafka     hadoop       1002 Feb 10 18:34 krb5cc_80026
-rw-------. 1 hdfs      hadoop       2064 Feb 10 20:29 krb5cc_80008
-rw-------. 1 gss2002   domain users 1789 Feb 11 02:09 krb5cc_190177540_ucndn5QWLm
-rw-------. 1 ambari-qa hadoop        886 Feb 11 02:11 krb5cc_80001

> Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveserver2_log.txt, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named "KakfaClient"
to authenticate with Kafka broker. In a typical Hive deployment this configuration section
is set to use the keytab and principal of HiveServer2 process. The hook running in HiveCLI
might fail to authenticate with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI should use the
ticket-cache generated by kinit. When ticket cache is not available (for example in HiveServer2),
the hook should use the configuration provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message