Return-Path: <issues-return-88514-archive-asf-public=cust-asf.ponee.io@hive.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 89689200D03
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sat,  9 Sep 2017 09:26:15 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 87E761609CF; Sat,  9 Sep 2017 07:26:15 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CD1D61609C0
	for <archive-asf-public@cust-asf.ponee.io>; Sat,  9 Sep 2017 09:26:14 +0200 (CEST)
Received: (qmail 55122 invoked by uid 500); 9 Sep 2017 07:26:13 -0000
Mailing-List: contact issues-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hive.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hive.apache.org>
List-Post: <mailto:issues@hive.apache.org>
List-Id: <issues.hive.apache.org>
Reply-To: dev@hive.apache.org
Delivered-To: mailing list issues@hive.apache.org
Received: (qmail 55113 invoked by uid 99); 9 Sep 2017 07:26:13 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Sep 2017 07:26:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 159F81A58D5
	for <issues@hive.apache.org>; Sat,  9 Sep 2017 07:26:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -97.2
X-Spam-Level: 
X-Spam-Status: No, score=-97.2 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_BADIPHTTP=2,
	NORMAL_HTTP_TO_IP=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	URI_TRY_3LD=0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id 7qmWE77NWjks for <issues@hive.apache.org>;
	Sat,  9 Sep 2017 07:26:07 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 2554360CE6
	for <issues@hive.apache.org>; Sat,  9 Sep 2017 07:26:07 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 2AE87E0933
	for <issues@hive.apache.org>; Sat,  9 Sep 2017 07:26:05 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id B42CB2414B
	for <issues@hive.apache.org>; Sat,  9 Sep 2017 07:26:01 +0000 (UTC)
Date: Sat, 9 Sep 2017 07:26:01 +0000 (UTC)
From: "Hive QA (JIRA)" <jira@apache.org>
To: issues@hive.apache.org
Message-ID: <JIRA.13100936.1504909238000.68236.1504941961737@Atlassian.JIRA>
In-Reply-To: <JIRA.13100936.1504909238000@Atlassian.JIRA>
References: <JIRA.13100936.1504909238000@Atlassian.JIRA> <JIRA.13100936.1504909238871@jira-lw-us.apache.org>
Subject: [jira] [Commented] (HIVE-17489) Separate client-facing and
 server-side Kerberos principals, to support HA
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Sat, 09 Sep 2017 07:26:15 -0000


    [ https://issues.apache.org/jira/browse/HIVE-17489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159808#comment-16159808 ] 

Hive QA commented on HIVE-17489:
--------------------------------



Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12886187/HIVE-17489.2-branch-2.patch

{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.

{color:red}ERROR:{color} -1 due to 18 failed/errored test(s), 10570 tests executed
*Failed tests:*
{noformat}
TestHs2HooksWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
TestJdbcNonKrbSASLWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
TestJdbcWithMiniKdc - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
TestJdbcWithMiniKdcCookie - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
TestJdbcWithMiniKdcSQLAuthBinary - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
TestJdbcWithMiniKdcSQLAuthHttp - did not produce a TEST-*.xml file (likely timed out) (batchId=237)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[comments] (batchId=35)
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[explaindenpendencydiffengs] (batchId=38)
org.apache.hadoop.hive.cli.TestMiniLlapCliDriver.testCliDriver[llap_smb] (batchId=142)
org.apache.hadoop.hive.cli.TestMiniLlapCliDriver.testCliDriver[orc_ppd_basic] (batchId=139)
org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver[explaindenpendencydiffengs] (batchId=115)
org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver[vectorized_ptf] (batchId=125)
org.apache.hadoop.hive.ql.security.TestExtendedAcls.testPartition (batchId=228)
org.apache.hadoop.hive.ql.security.TestFolderPermissions.testPartition (batchId=217)
org.apache.hive.hcatalog.api.TestHCatClient.testTransportFailure (batchId=176)
org.apache.hive.minikdc.TestHiveAuthFactory.testStartTokenManagerForDBTokenStore (batchId=237)
org.apache.hive.minikdc.TestHiveAuthFactory.testStartTokenManagerForMemoryTokenStore (batchId=237)
org.apache.hive.minikdc.TestJdbcWithDBTokenStore.org.apache.hive.minikdc.TestJdbcWithDBTokenStore (batchId=237)
{noformat}

Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/6744/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/6744/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-6744/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 18 tests failed
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12886187 - PreCommit-HIVE-Build

> Separate client-facing and server-side Kerberos principals, to support HA
> -------------------------------------------------------------------------
>
>                 Key: HIVE-17489
>                 URL: https://issues.apache.org/jira/browse/HIVE-17489
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>            Reporter: Mithun Radhakrishnan
>            Assignee: Thiruvel Thirumoolan
>         Attachments: HIVE-17489.1.patch, HIVE-17489.2-branch-2.patch, HIVE-17489.2.patch
>
>
> On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will differ from the actual boxen in the farm (.e.g {{mycluster-hcat-\[0..3\].blue.myth.net}}).
> Such a deployment messes up Kerberos auth, with principals like {{hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET}}. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.
> The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)