[jira] [Commented] (HIVE-14888) SparkClientImpl checks for "kerberos" string in hiveconf only when determining whether to use keytab file.

Wed, 03 Apr 2019 14:54:14 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-14888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16809302#comment-16809302
 ] 

David McGinnis commented on HIVE-14888:
---------------------------------------

Taking over this ticket since it appears to be mostly completed and just needs 
someone to shepherd it through to the end. Submitted a patch similar to the 
original modified based on new changes since the original patch.

One concern I see with this is that it appears that 
hadoop.security.authentication can be more than just (simple, kerberos). Line 
below seems to indicate it could also be TOKEN, CERTIFICATE, KERBEROS_SSL, or 
PROXY. I'm not seeing any code that restricts it to just SIMPLE or KERBEROS, 
but that is all documentation mentions. Can anyone confirm SIMPLE and KERBEROS 
are the only two hadoop authentication modes we need to worry about? Otherwise 
this patch will change behavior for the other modes.

[https://github.com/apache/hadoop/blob/002dcc4ebf79bbaa5e603565640d8289991d781f/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1444]

 

> SparkClientImpl checks for "kerberos" string in hiveconf only when 
> determining whether to use keytab file.
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-14888
>                 URL: https://issues.apache.org/jira/browse/HIVE-14888
>             Project: Hive
>          Issue Type: Bug
>          Components: spark-branch
>    Affects Versions: 2.1.0
>            Reporter: Thomas Rega
>            Assignee: David McGinnis
>            Priority: Major
>         Attachments: HIVE-14888.1-spark.patch, HIVE-14888.2.patch
>
>   Original Estimate: 5m
>  Remaining Estimate: 5m
>
> The SparkClientImpl will only provide a principal and keytab argument if the 
> HADOOP_SECURITY_AUTHENTICATION in hive conf is set to "kerberos". This will 
> not work on clusters with Hadoop security enabled that are not configured as 
> "kerberos", for example, a cluster which is configured for "ldap".
> The solution is to call UserGroupInformation.isSecurityEnabled() instead.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to