hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Shelukhin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-13391) add an option to LLAP to use keytab to authenticate to read data
Date Thu, 31 Mar 2016 23:59:25 GMT

    [ https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15220886#comment-15220886
] 

Sergey Shelukhin commented on HIVE-13391:
-----------------------------------------

I actually want to minimize the scope of login from keytab to only the necessary points. Also
current user is set only in doAs, do you want to run all of init in doAs? I don't know if
it's a good idea.
For regular Tez jobs there will be no keytab potentially, also this won't work for storage
based auth; or for non-secure in any form (because IIRC you still need tokens for HDFS then,
right?).

As for FS, I see. It doesn't use UGI as key, it just iterates thru all the FSes. It looks
like UGI::equals only compares the subject, and Subject::equals compares credentials and principal.
I'd assume they would be the same if we just log in twice from keytab, no? I can change the
patch to log in anew every time, but I am not sure that would help.

> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
>                 Key: HIVE-13391
>                 URL: https://issues.apache.org/jira/browse/HIVE-13391
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't propagate HDFS
tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message