[
https://issues.apache.org/jira/browse/AMBARI-21154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vishal Suvagia updated AMBARI-21154:
------------------------------------
Attachment: AMBARI-21154-branch-2.5.patch
AMBARI-21154-trunk.patch
> Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos
> ticket-cache
> --------------------------------------------------------------------------------------
>
> Key: AMBARI-21154
> URL: https://issues.apache.org/jira/browse/AMBARI-21154
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.5.1
> Reporter: Vishal Suvagia
> Assignee: Vishal Suvagia
> Priority: Minor
> Fix For: 2.5.2
>
> Attachments: AMBARI-21154-branch-2.5.patch, AMBARI-21154.patch,
> AMBARI-21154-trunk.patch
>
>
> In a kerberized environment, Atlas hook uses JAAS configuration section named
> "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment
> this configuration section is set to use the keytab and principal of
> HiveServer2 process. The hook running in HiveCLI might fail to authenticate
> with Kafka if the user can't read the configured keytab.
> Given that HiveCLI users would have performed kinit, the hook in HiveCLI
> should use the ticket-cache generated by kinit. When ticket cache is not
> available (for example in HiveServer2), the hook should use the configuration
> provided in KafkaClient JAAS section
> As a solution need to add below in {{hive atlas-application.properties}} by
> default if atlas-hive hook is enabled in secure mode
> {code:none}
> atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
> atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
> atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
