[jira] [Commented] (HIVE-18982) Provide a CLI option to manually trigger failover

Wed, 21 Mar 2018 00:40:14 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-18982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16407553#comment-16407553
 ] 

Prasanth Jayachandran commented on HIVE-18982:
----------------------------------------------

Some changes to security
- GET /leader is permissive (works even if 
hadoop.security.instrumentation.requires.admin is false)
- DELETE /leader endpoint which performs the failover is restrictive (works 
only if hadoop.security.instrumentation.requires.admin and 
hadoop.security.authorization are set to true and if the logged in user (via 
PAM or SPNEGO + Kerberos) is in hive.users.in.admin.role list)
- Added unit tests with PAM auth for failover (setting up SPNEGO + Kerberos 
auth in unit test is non-trivial).
Theoretically SPNEGO + Kerberos should also work. HS2 webserver sets up 
kerberos based auth 
https://github.com/apache/hive/blob/a16e8e9e4d1111d504051b836d43ed795de054b3/common/src/java/org/apache/hive/http/HttpServer.java#L366
 which returns the kerberos logged in user from auth token here 
https://github.com/apache/hadoop/blob/6c63cc7d304571578e6551170552182d30b8e8fa/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L565
I will test manually on kerberized cluster later at some point. 
[~sershe] can you please look at the new changes?

> Provide a CLI option to manually trigger failover
> -------------------------------------------------
>
>                 Key: HIVE-18982
>                 URL: https://issues.apache.org/jira/browse/HIVE-18982
>             Project: Hive
>          Issue Type: Sub-task
>          Components: HiveServer2
>    Affects Versions: 3.0.0
>            Reporter: Prasanth Jayachandran
>            Assignee: Prasanth Jayachandran
>            Priority: Major
>         Attachments: HIVE-18982.1.patch, HIVE-18982.2.patch, 
> HIVE-18982.3.patch
>
>
> HIVE-18281 added active-passive HA. There might be a administrative need to 
> trigger a manual failover of HS2 Active server. Add command line tool to view 
> list of all HS2 instances and trigger manual failover (only under force 
> mode). The clients currently connected to active HS2 will be closed. In 
> future, more options to existing clients connections can be handled via 
> configs/options (like wait until timeout, wait until current sessions are 
> closed etc.)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to