magnuma3 opened a new pull request, #6519:
URL: https://github.com/apache/hive/pull/6519
HIVE-29640
<!--
Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/Hive/HowToContribute
2. Ensure that you have created an issue on the Hive project JIRA:
https://issues.apache.org/jira/projects/HIVE/summary
3. Ensure you have added or run the appropriate tests for your PR:
4. If the PR is unfinished, add '[WIP]' in your PR title, e.g.,
'[WIP]HIVE-XXXXX: Your PR title ...'.
5. Be sure to keep the PR description updated to reflect all changes.
6. Please write your PR title to summarize what this PR proposes.
7. If possible, provide a concise example to reproduce the issue for a
faster review.
-->
### What changes were proposed in this pull request?
<!--
Please clarify what changes you are proposing. The purpose of this section
is to outline the changes and how this PR fixes the issue.
If possible, please consider writing useful notes for better and faster
reviews in your PR. See the examples below.
1. If you refactor some codes with changing classes, showing the class
hierarchy will help reviewers.
2. If you fix some SQL features, you can provide some references of other
DBMSes.
3. If there is design documentation, please add the link.
4. If there is a discussion in the mailing list, please add the link.
-->
- Root cause
`TezClientUtils.setupAMLocalResources` does not fetch HDFS delegation
tokens for AM-local resources — it expects the caller to provide them
via `AMCredentials`. HS2 (`TezSessionState`) currently passes only the
LLAP credentials and never enumerates the non-defaultFS namenodes
referenced by `ADD JAR` / `ADD FILE` resources, so the AM ends up
without a token for those namenodes.
- Fix
Before handing local resources to TezClient, walk the common local
resource map, collect every distinct non-`fs.defaultFS` HDFS namenode
referenced, fetch delegation tokens for those namenodes via
`TokenCache.obtainTokensForNamenodes`, and merge them into the
credentials passed to TezClient (alongside any existing LLAP
credentials).
Implementation lives in a new helper
`TezSessionState#createLocalResourceCredentialsExcludingDefaultFS` and
filters out:
Resources on `fs.defaultFS` (Tez/Hadoop issues that token already;
duplicate issuance adds latency and NameNode heap pressure).
- Repro
1. Kerberized HS2 with `hive.execution.engine=tez`.
2. From beeline:
```
ADD JAR hdfs://other-nn/path/to/udf.jar;
CREATE TEMPORARY FUNCTION my_udf AS '…';
SELECT my_udf(col) FROM tbl;
```
where `other-nn` is a federated namenode distinct from
`fs.defaultFS`.
3. Expected: query runs.
Actual: localization fails on the AM/container with a missing
delegation token error for `other-nn`.
### Why are the changes needed?
<!--
Please clarify why the changes are needed. For instance,
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
-->
- Problem
In a Kerberized cluster, a query that pulls in jars from an HDFS
namenode other than `fs.defaultFS` fails when the execution engine is
Tez:
```
SET hive.execution.engine=tez;
ADD JAR hdfs://other-nn/libs/my-udf.jar;
SELECT my_udf(...) FROM t;
```
The jar is distributed to Tez containers as an AM-local resource via
the distributed cache. The container tries to localize it from
`hdfs://other-nn/...`, finds no HDFS delegation token for `other-nn`
in its `Credentials`, and fails resource localization. The query
aborts before any task runs.
`fs.defaultFS` jars work fine because Tez/Hadoop's standard code path
issues a token for the default namenode on its own.
### Does this PR introduce _any_ user-facing change?
<!--
Note that it means *any* user-facing change including all aspects such as
the documentation fix.
If yes, please clarify the previous behavior and the change this PR proposes
- provide the console output, description, screenshot and/or a reproducable
example to show the behavior difference if possible.
If possible, please also clarify if this is a user-facing change compared to
the released Hive versions or within the unreleased branches such as master.
If no, write 'No'.
-->
- Compatibility
Behaviour is unchanged when all `ADD JAR` resources live on
`fs.defaultFS` or on the local filesystem.
Non-Kerberized clusters are unaffected (token issuance is a no-op).
No new configuration. No new dependencies.
### How was this patch tested?
<!--
If tests were added, say they were added here. Please make sure to add some
test cases that check the changes thoroughly including negative and positive
cases if possible.
If it was tested in a way different from regular unit tests, please clarify
how you tested step by step, ideally copy and paste-able, so that other
reviewers can test and check, and descendants can verify in the future.
If tests were not added, please describe why they were not added and/or why
it was difficult to add.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
