atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
Date Mon, 13 Feb 2017 16:23:41 GMT

    [ https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15863932#comment-15863932
] 

Madhan Neethiraj commented on ATLAS-1546:
-----------------------------------------

bq. I tried running HiveServer2 (Run as end user instead of Hive user) with doAs = true
[~nixonrodrigues] HiveServer2 should be run as 'hive' service user..not as an enduser

bq. tested HiveCli with doAs = true
doAs flag is not relevant for HiveCLI - as it doesn't perform any impersonation. There is
no need to validate HiveCLI with doAs=true.

It will help if you can try the following steps and update the results here:
# Configure HiveServer2 with doAs=true
# Run HiveServer2 as hive service user
# Using beeline, connect as an enduser and create objects (database/table/view) - verify that
created object details are received in Atlas
# Using Hive-CLI, create objects and verify that created object details are received in Atlas


> Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, hiveenviro, hiveserver2_log.txt,
hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named "KakfaClient"
to authenticate with Kafka broker. In a typical Hive deployment this configuration section
is set to use the keytab and principal of HiveServer2 process. The hook running in HiveCLI
might fail to authenticate with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI should use the
ticket-cache generated by kinit. When ticket cache is not available (for example in HiveServer2),
the hook should use the configuration provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message