spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stavros Kontopoulos (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SPARK-23790) proxy-user failed connecting to a kerberos configured metastore
Date Sun, 25 Mar 2018 10:36:00 GMT

    [ https://issues.apache.org/jira/browse/SPARK-23790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16412974#comment-16412974
] 

Stavros Kontopoulos commented on SPARK-23790:
---------------------------------------------

[~q79969786] I see the PRs you created to fix the other PR, btw the doAsRealUser does the
work:

 
{quote}18/03/23 19:26:18 DEBUG UserGroupInformation: PrivilegedAction as:hive@LOCAL (auth:KERBEROS)
from:org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)

18/03/23 19:26:18 DEBUG TSaslTransport: opening transport org.apache.thrift.transport.TSaslClientTransport@64201482
18/03/23 19:26:18 DEBUG TSaslClientTransport: Sending mechanism name GSSAPI and initial response
of length 607
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Writing message with status START and payload
length 6
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Writing message with status OK and payload
length 607
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Start message handled
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Received message with status OK and payload
length 108
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Writing message with status OK and payload
length 0
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Received message with status OK and payload
length 32
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Writing message with status COMPLETE and payload
length 32
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Main negotiation loop complete
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: SASL Client receiving last message
18/03/23 19:26:18 DEBUG TSaslTransport: CLIENT: Received message with status COMPLETE and
payload length 0
18/03/23 19:26:18 INFO metastore: Connected to metastore.
{quote}
The reason is that I use an earlier branch to build stuff for the customer which does not
contain the commit. Thank you though there is a regression I should know for the next releases
and will follow the work being done. My problem is that I tried to fetch delegation tokens
earlier so consequent operations dont use a TGT all the time but hit this issue with HadoopRDD.
I believed I could add the delegation tokens when the mesos scheduler backend starts like
in the case of yarn where Client.java does something similar.

> proxy-user failed connecting to a kerberos configured metastore
> ---------------------------------------------------------------
>
>                 Key: SPARK-23790
>                 URL: https://issues.apache.org/jira/browse/SPARK-23790
>             Project: Spark
>          Issue Type: Bug
>          Components: Mesos
>    Affects Versions: 2.3.0
>            Reporter: Stavros Kontopoulos
>            Priority: Major
>
> This appeared at a customer trying to integrate with a kerberized hdfs cluster.
> This can be easily fixed with the proposed fix [here|https://github.com/apache/spark/pull/17333] and
the problem was reported first [here|https://issues.apache.org/jira/browse/SPARK-19995] for
yarn.
> The other option is to add the delegation tokens to the current user's UGI as in [here|https://github.com/apache/spark/pull/17335]
. The last fixes the problem but leads to a failure when someones uses a HadoopRDD because
the latter, uses FileInputFormat to get the splits which calls the local ticket cache by using
TokenCache.obtainTokensForNamenodes. Eventually this will fail with:
> {quote}Exception in thread "main" org.apache.hadoop.ipc.RemoteException(java.io.IOException):
Delegation Token can be issued only with kerberos or web authenticationat org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:5896)
> {quote}
> This implies that security mode is SIMPLE and hadoop libs there are not aware of kerberos.
> This is related to this issue the workaround decided was to [trick|https://github.com/apache/spark/blob/a33655348c4066d9c1d8ad2055aadfbc892ba7fd/core/src/main/scala/org/apache/spark/deploy/SparkSubmit.scala#L795-L804]
hadoop.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message