[
https://issues.apache.org/jira/browse/SQOOP-2756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15071410#comment-15071410
]
Dian Fu commented on SQOOP-2756:
--------------------------------
After investigation of this issue, I found that the root cause of this issue is
as follows:
* User {{Sqoop2}} impersonate {{SqoopClient}} and tries to connect to Hive
Metastore.
* Hive Metastore only support token based proxy user. So authentication failed.
The solution can be as follows:
* User {{Sqoop2}} create a delegation token with name
{{SqoopImpersonationToken}} for user {{SqoopClient}} in the {{initialize}}
method {{KiteToInitializer/KiteFromInitializer}}
* Add the generated delegation token into proxy user UGI and set configuration
{{hive.metastore.token.signature}} as {{SqoopImpersonationToken}}
* Access Hive Metastore with this UGI
PS: Hcatlog takes similar approach to impersonate another user. I have verified
that the above method can work. But I encountered the following issue which
blocked me:
* There is no proper way to set configuration
{{hive.metastore.token.signature}} as kite doesn't expose the configuration
object.
Any thoughts?
> Sqoop2: Add impersonation support for kite hive
> -----------------------------------------------
>
> Key: SQOOP-2756
> URL: https://issues.apache.org/jira/browse/SQOOP-2756
> Project: Sqoop
> Issue Type: Sub-task
> Reporter: Dian Fu
> Assignee: Dian Fu
> Fix For: 1.99.7
>
>
> Based on the patch of SQOOP-2752 (that's to say adding impersonation support
> for kite), when I runn test case {{FromRDBMSToKiteHiveTest}} on a secured
> mini cluster, I encountered the following exception:
> {code}
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:409)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:230)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:175)
> at
> org.kitesdk.data.spi.hive.MetaStoreUtil.<init>(MetaStoreUtil.java:82)
> at
> org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.getMetaStoreUtil(HiveAbstractMetadataProvider.java:63)
> at
> org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:270)
> at
> org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:255)
> at
> org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.exists(HiveAbstractMetadataProvider.java:159)
> at
> org.kitesdk.data.spi.filesystem.FileSystemDatasetRepository.exists(FileSystemDatasetRepository.java:257)
> at org.kitesdk.data.Datasets.exists(Datasets.java:629)
> at org.kitesdk.data.Datasets.exists(Datasets.java:646)
> at
> org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:75)
> at
> org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:69)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
