hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hive QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-17489) Separate client-facing and server-side Kerberos principals, to support HA
Date Wed, 13 Sep 2017 10:45:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-17489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16164469#comment-16164469
] 

Hive QA commented on HIVE-17489:
--------------------------------



Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12886694/HIVE-17489.2.patch

{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.

{color:red}ERROR:{color} -1 due to 21 failed/errored test(s), 11005 tests executed
*Failed tests:*
{noformat}
TestAccumuloCliDriver - did not produce a TEST-*.xml file (likely timed out) (batchId=230)
TestDummy - did not produce a TEST-*.xml file (likely timed out) (batchId=230)
TestHs2HooksWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcNonKrbSASLWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcWithDBTokenStore - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcWithMiniKdcCookie - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcWithMiniKdcSQLAuthBinary - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
TestJdbcWithMiniKdcSQLAuthHttp - did not produce a TEST-*.xml file (likely timed out) (batchId=240)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[create_view] (batchId=39)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[insert_values_orig_table_use_metadata]
(batchId=61)
org.apache.hadoop.hive.cli.TestMiniLlapCliDriver.testCliDriver[unionDistinct_1] (batchId=143)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[union_fast_stats] (batchId=156)
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainanalyze_2] (batchId=100)
org.apache.hadoop.hive.cli.TestNegativeCliDriver.testCliDriver[drop_table_failure2] (batchId=89)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query14] (batchId=234)
org.apache.hadoop.hive.ql.TestAcidOnTez.testCtasTezUnion (batchId=215)
org.apache.hadoop.hive.ql.TestAcidOnTez.testNonStandardConversion01 (batchId=215)
org.apache.hive.minikdc.TestHiveAuthFactory.testStartTokenManagerForDBTokenStore (batchId=240)
org.apache.hive.minikdc.TestHiveAuthFactory.testStartTokenManagerForMemoryTokenStore (batchId=240)
org.apache.hive.minikdc.TestSSLWithMiniKdc.org.apache.hive.minikdc.TestSSLWithMiniKdc (batchId=240)
{noformat}

Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/6794/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/6794/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-6794/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 21 tests failed
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12886694 - PreCommit-HIVE-Build

> Separate client-facing and server-side Kerberos principals, to support HA
> -------------------------------------------------------------------------
>
>                 Key: HIVE-17489
>                 URL: https://issues.apache.org/jira/browse/HIVE-17489
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>            Reporter: Mithun Radhakrishnan
>            Assignee: Thiruvel Thirumoolan
>         Attachments: HIVE-17489.2-branch-2.patch, HIVE-17489.2.patch, HIVE-17489.2.patch
>
>
> On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the
hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will differ from the actual boxen
in the farm (.e.g {{mycluster-hcat-\[0..3\].blue.myth.net}}).
> Such a deployment messes up Kerberos auth, with principals like {{hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET}}.
Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its
principal when accessing, say, HDFS.
> The solution would be to decouple the server-side principal (used to access other services
like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message