[jira] [Commented] (HIVE-21922) Allow keytabs to be reused in LLAP yarn applications through Yarn localization

Tue, 25 Jun 2019 02:49:53 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-21922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16872206#comment-16872206
 ] 

Adam Szita commented on HIVE-21922:
-----------------------------------

The patch introduces the following new options:
 * In Hive conf
 ** *hive.llap.use.hs2.keytab.for.am.registry.keytab*: if set to true and 
hive.llap.task.scheduler.am.registry.keytab.file is empty, HS2 keytab will be 
added to Yarn as resource to be localized for Tez AM use
 * In LLAP's yarn service descriptor file compiler python script:
 ** *service-keytab-localized-path*: if set, Yarn will make sure LLAP daemons 
can reach the keytab file on this path, earlier uploaded to HDFS path as per 
service-keytab-dir / service-keytab options

[~pvary] can you take a look please?

> Allow keytabs to be reused in LLAP yarn applications through Yarn localization
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-21922
>                 URL: https://issues.apache.org/jira/browse/HIVE-21922
>             Project: Hive
>          Issue Type: New Feature
>            Reporter: Adam Szita
>            Assignee: Adam Szita
>            Priority: Major
>         Attachments: HIVE-21922.0.patch
>
>
> In secure clusters LLAP has to be able to reach keytab files for kerberos 
> login.
> Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and 
> _hive.llap.daemon.keytab.file_ configs are used to define the path of such 
> keytabs on the Tez AM and LLAP daemon side respectively. Both presume local 
> file system paths only - hence all nodes in the LLAP cluster (even those that 
> eventually don't end up executing a daemon...) have to have Hive's keytab 
> preinstalled on them.
> The above is described by this strategy: 
> [Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers]
> Another approach can be 
> [Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN]
>  where we rely on HDFS and Yarn resource localization, and no prior keytab 
> distribution is required. I intend to make this strategy an option for 
> Hive-LLAP in this jira.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to