[jira] [Created] (SPARK-18061) Spark Thriftserver needs to create SPNego principal

Fri, 21 Oct 2016 17:46:18 -0700 

Chandana Mirashi created SPARK-18061:
----------------------------------------

             Summary: Spark Thriftserver needs to create SPNego principal
                 Key: SPARK-18061
                 URL: https://issues.apache.org/jira/browse/SPARK-18061
             Project: Spark
          Issue Type: Bug
          Components: SQL
    Affects Versions: 2.0.1, 1.6.1
            Reporter: Chandana Mirashi


Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a 401 
authentication error when receiving beeline HTTP request (with end user as 
kerberos principal). The similar command works with Hive Thriftserver.

What we find is Hive thriftserver CLI service creates both hive service and 
SPNego principal when kerberos is enabled whereas Spark Thriftserver
only creates hive service principal.

{code:title=CLIService.java|borderStyle=solid}

if (UserGroupInformation.isSecurityEnabled()) {
      try {
        HiveAuthFactory.loginFromKeytab(hiveConf);
        this.serviceUGI = Utils.getUGI();
      } catch (IOException e) {
        throw new ServiceException("Unable to login to kerberos with given 
principal/keytab", e);
      } catch (LoginException e) {
        throw new ServiceException("Unable to login to kerberos with given 
principal/keytab", e);
      }

      // Also try creating a UGI object for the SPNego principal
      String principal = 
hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
      String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
      if (principal.isEmpty() || keyTabFile.isEmpty()) {
        LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
            ", ketabFile: " + keyTabFile);
      } else {
        try {
          this.httpUGI = 
HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
          LOG.info("SPNego httpUGI successfully created.");
        } catch (IOException e) {
          LOG.warn("SPNego httpUGI creation failed: ", e);
        }
      }
    }

{code}

{code:title=SparkSQLCLIService.scala|borderStyle=solid}

if (UserGroupInformation.isSecurityEnabled) {
      try {
        HiveAuthFactory.loginFromKeytab(hiveConf)
        sparkServiceUGI = Utils.getUGI()
        setSuperField(this, "serviceUGI", sparkServiceUGI)
      } catch {
        case e @ (_: IOException | _: LoginException) =>
          throw new ServiceException("Unable to login to kerberos with given 
principal/keytab", e)
      }
    }

{code}

The patch will add missing SPNego principal to Spark Thriftserver.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to