zzzzming95 created SPARK-45041: ---------------------------------- Summary: spark using --proxy-user GSS init failed when `hive.metastore.token.signature` not empty Key: SPARK-45041 URL: https://issues.apache.org/jira/browse/SPARK-45041 Project: Spark Issue Type: Bug Components: SQL Affects Versions: 3.4.0 Reporter: zzzzming95
In spark, we can using --proxy-user to proxy the other user in kerberos env. But we will make GSS init failed exception when connect to hive metastore and `hive.metastore.token.signature` not empty. {code:java} ``` spark-sql --conf spark.driver.extraClassPath=/home/hive/conf --proxy-user test_user ```{code} if we set conf in `hive-site.xml` {code:java} ``` <property> <name>hive.metastore.token.signature</name> <value>spark_delegation_token</value> </property> ```{code} we will get {code:java} ``` javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:95) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:38) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:478) at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:245) ```{code} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org