[
https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15220744#comment-15220744
]
Siddharth Seth commented on HIVE-13391:
---------------------------------------
We have to login from keytab and then doAs - maybe we can do that right when
the daemon starts up - so that all other execution is within this context. I
believe threads etc are taken care of.
Tez does not do any kerberos logins. What it does instead is to create a ugi
with the tokens - and run everything within a doAs block using this ugi. I'd
imagine it will be the same for a ugi with kerberos credentials.
For the tokens - I don't think we need to retain this functionality at all. For
regular Tez jobs - the kerberos login should be sufficient (including to talk
to HBase etc).
FileSystem.get() - eventually goes and looks up a cache to see if an instance
has already been created. That uses the ugi as a key. In ContainerRunner (or
somewhere i the execution code) - we go and do a FileSystem.closeAllForUgi() -
to get rid of FileSystem instances which were created for a fragment. With a
single ugi - a single FS ends up getting used, and the closeAll cannot be
invoked. The perf implications of this is something I'm not sure about.
> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
> Key: HIVE-13391
> URL: https://issues.apache.org/jira/browse/HIVE-13391
> Project: Hive
> Issue Type: Bug
> Reporter: Sergey Shelukhin
> Assignee: Sergey Shelukhin
> Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't
> propagate HDFS tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
