Rémy SAISSY created HIVE-7798: --------------------------------- Summary: Authentication tokens lost in a UDTF on a secure cluster Key: HIVE-7798 URL: https://issues.apache.org/jira/browse/HIVE-7798 Project: Hive Issue Type: Bug Components: UDF Affects Versions: 0.13.0 Reporter: Rémy SAISSY
Context: - Secure Cluster running Hive 0.13, Hadoop 2.4 and HBase 0.98 (HDP 2.1) - UDTF written in Java Action: In the UDTF, HBase is contacted through its Java API in order to add a few records. However any requests to HBase fails because tokens are not passed to the call to HBase. Executing the following code in the UDTF: Configuration conf = HBaseConfiguration.create(); UserGroupInformation.setConfiguration(conf); HTable hbaseErrorTable = new HTable(conf, "foo :foo"); Leads to this error: 2014-07-22 14:44:04,134 DEBUG [main] org.apache.hadoop.ipc.RpcClient: Connecting to node2.cluster.fr/10.197.40.54:60020 2014-07-22 14:44:04,135 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:expecteduser (auth:SIMPLE) from:org.apache.hadoop.hbase.ipc.RpcClient$Connection.setupIOstreams(RpcClient.java:915) 2014-07-22 14:44:04,135 DEBUG [main] org.apache.hadoop.hbase.security.HBaseSaslRpcClient: Creating SASL GSSAPI client. Server's Kerberos principal name is hbase/node2.cluster.fr@REALM 2014-07-22 14:44:04,137 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:expecteduser (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 2014-07-22 14:44:04,138 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:expecteduser (auth:SIMPLE) from:org.apache.hadoop.hbase.ipc.RpcClient$Connection.handleSaslConnectionFailure(RpcClient.java:818) 2014-07-22 14:44:04,138 WARN [main] org.apache.hadoop.ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 2014-07-22 14:44:04,138 FATAL [main] org.apache.hadoop.ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'. The workaround is to add the following in the UDTF before actually contacting HBase: public static void logFromKeytabAndLogoutCurrentUser(String user, String path) throws IOException { //UserGroupInformation.loginUserFromKeytab("expecteduser@REALM", "/etc/security/keytabs/expecteduser.headless.keytab"); UserGroupInformation.loginUserFromKeytab(user, path); AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); subject.getPrincipals().clear(); subject.getPrivateCredentials().clear(); subject.getPublicCredentials().clear(); } However, it implies to have the keytab to perform a new authentication from inside the UDTF. I'm not sure wether this bug is related to Hive UDTF or to YARN Containers. -- This message was sent by Atlassian JIRA (v6.2#6252)