[ https://issues.apache.org/jira/browse/AMBARI-21154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vishal Suvagia updated AMBARI-21154: ------------------------------------ Attachment: AMBARI-21154.patch > Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos > ticket-cache > -------------------------------------------------------------------------------------- > > Key: AMBARI-21154 > URL: https://issues.apache.org/jira/browse/AMBARI-21154 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.5.1 > Reporter: Vishal Suvagia > Assignee: Vishal Suvagia > Priority: Minor > Fix For: 2.5.2 > > Attachments: AMBARI-21154.patch > > > In a kerberized environment, Atlas hook uses JAAS configuration section named > "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment > this configuration section is set to use the keytab and principal of > HiveServer2 process. The hook running in HiveCLI might fail to authenticate > with Kafka if the user can't read the configured keytab. > Given that HiveCLI users would have performed kinit, the hook in HiveCLI > should use the ticket-cache generated by kinit. When ticket cache is not > available (for example in HiveServer2), the hook should use the configuration > provided in KafkaClient JAAS section > As a solution need to add below in {{hive atlas-application.properties}} by > default if atlas-hive hook is enabled in secure mode > {code:none} > atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required > atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule > atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)