[jira] [Updated] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Greg Senia (JIRA) Fri, 10 Feb 2017 19:46:20 -0800

     [ 
https://issues.apache.org/jira/browse/ATLAS-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Greg Senia updated ATLAS-1546:
------------------------------
    Attachment: hs2.log.gz

[~madhan.neethiraj] and [~nixonrodrigues] here is the full log.

What I see that is interesting it seems like HS2 may have a ticketcache and a 
keytab base login..

2017-02-10 20:29:54,274 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(237)) - ==> 
InMemoryJAASConfiguration.initialize()
2017-02-10 20:29:54,274 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(237)) - ==> 
InMemoryJAASConfiguration.initialize()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(351)) - Adding client: 
[KafkaClient{-1}]
        loginModule: [com.sun.security.auth.module.Krb5LoginModule]
        controlFlag: [LoginModuleControlFlag: required]
        Options:  [principal] => 
[hive/ha21t55mn.tech.hdp.example....@tech.hdp.example.com]
        Options:  [storeKey] => [True]
        Options:  [keyTab] => [/etc/security/keytabs/hive.service.keytab]
        Options:  [useKeyTab] => [True]
        Options:  [serviceName] => [kafka]

2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(351)) - Adding client: 
[KafkaClient{-1}]
        loginModule: [com.sun.security.auth.module.Krb5LoginModule]
        controlFlag: [LoginModuleControlFlag: required]
        Options:  [principal] => 
[hive/ha21t55mn.tech.hdp.example....@tech.hdp.example.com]
        Options:  [storeKey] => [True]
        Options:  [keyTab] => [/etc/security/keytabs/hive.service.keytab]
        Options:  [useKeyTab] => [True]
        Options:  [serviceName] => [kafka]

2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(351)) - Adding client: 
[ticketBased-KafkaClient{-1}]
        loginModule: [com.sun.security.auth.module.Krb5LoginModule]
        controlFlag: [LoginModuleControlFlag: required]
        Options:  [useTicketCache] => [true]

2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(351)) - Adding client: 
[ticketBased-KafkaClient{-1}]
        loginModule: [com.sun.security.auth.module.Krb5LoginModule]
        controlFlag: [LoginModuleControlFlag: required]
        Options:  [useTicketCache] => [true]

2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(364)) - <== 
InMemoryJAASConfiguration.initialize()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:initialize(364)) - <== 
InMemoryJAASConfiguration.initialize()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration (InMemoryJAASConfiguration.java:init(191)) - 
<== InMemoryJAASConfiguration.init()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration (InMemoryJAASConfiguration.java:init(191)) - 
<== InMemoryJAASConfiguration.init()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration (InMemoryJAASConfiguration.java:init(178)) - 
<== InMemoryJAASConfiguration.init()
2017-02-10 20:29:54,280 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration (InMemoryJAASConfiguration.java:init(178)) - 
<== InMemoryJAASConfiguration.init()
2017-02-10 20:29:54,284 DEBUG [HiveServer2-HttpHandler-Pool: Thread-53]: 
security.InMemoryJAASConfiguration 
(InMemoryJAASConfiguration.java:setConfigSectionRedirect(372)) - ==> 
setConfigSectionRedirect({}, {})KafkaClient ticketBased-KafkaClient


> Hive hook should choose appropriate JAAS config if host uses kerberos 
> ticket-cache
> ----------------------------------------------------------------------------------
>
>                 Key: ATLAS-1546
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1546
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-intg
>    Affects Versions: 0.7-incubating, 0.8-incubating
>            Reporter: Madhan Neethiraj
>            Assignee: Nixon Rodrigues
>             Fix For: 0.8-incubating
>
>         Attachments: ATLAS-1546.1.patch, ATLAS-1546.patch, 
> hiveserver2_log.txt, hs2.log.gz
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named 
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment 
> this configuration section is set to use the keytab and principal of 
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate 
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI 
> should use the ticket-cache generated by kinit. When ticket cache is not 
> available (for example in HiveServer2), the hook should use the configuration 
> provided in KafkaClient JAAS section.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (ATLAS-1546) Hive hook should choose appropriate JAAS config if host uses kerberos ticket-cache

Reply via email to