[jira] [Assigned] (SPARK-18061) Spark Thriftserver needs to create SPNego principal

Fri, 21 Oct 2016 18:04:08 -0700 

     [ 
https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Apache Spark reassigned SPARK-18061:
------------------------------------

    Assignee: Apache Spark

> Spark Thriftserver needs to create SPNego principal
> ---------------------------------------------------
>
>                 Key: SPARK-18061
>                 URL: https://issues.apache.org/jira/browse/SPARK-18061
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.6.1, 2.0.1
>            Reporter: Chandana Mirashi
>            Assignee: Apache Spark
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a 
> 401 authentication error when receiving beeline HTTP request (with end user 
> as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and 
> SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
>       try {
>         HiveAuthFactory.loginFromKeytab(hiveConf);
>         this.serviceUGI = Utils.getUGI();
>       } catch (IOException e) {
>         throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e);
>       } catch (LoginException e) {
>         throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e);
>       }
>       // Also try creating a UGI object for the SPNego principal
>       String principal = 
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
>       String keyTabFile = 
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
>       if (principal.isEmpty() || keyTabFile.isEmpty()) {
>         LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
>             ", ketabFile: " + keyTabFile);
>       } else {
>         try {
>           this.httpUGI = 
> HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
>           LOG.info("SPNego httpUGI successfully created.");
>         } catch (IOException e) {
>           LOG.warn("SPNego httpUGI creation failed: ", e);
>         }
>       }
>     }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
>       try {
>         HiveAuthFactory.loginFromKeytab(hiveConf)
>         sparkServiceUGI = Utils.getUGI()
>         setSuperField(this, "serviceUGI", sparkServiceUGI)
>       } catch {
>         case e @ (_: IOException | _: LoginException) =>
>           throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e)
>       }
>     }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to