[
https://issues.apache.org/jira/browse/SPARK-45041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17762385#comment-17762385
]
zzzzming95 commented on SPARK-45041:
------------------------------------
https://github.com/apache/spark/pull/42760
> spark using --proxy-user GSS init failed when
> `hive.metastore.token.signature` not empty
> ----------------------------------------------------------------------------------------
>
> Key: SPARK-45041
> URL: https://issues.apache.org/jira/browse/SPARK-45041
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 3.4.0
> Reporter: zzzzming95
> Priority: Major
>
> In spark, we can using --proxy-user to proxy the other user in kerberos env.
> But we will make GSS init failed exception when connect to hive metastore
> and `hive.metastore.token.signature` not empty.
> {code:java}
> ```
> spark-sql --conf spark.driver.extraClassPath=/home/hive/conf --proxy-user
> test_user
> ```{code}
> if we set conf in `hive-site.xml`
> {code:java}
> ```
> <property>
> <name>hive.metastore.token.signature</name>
> <value>spark_delegation_token</value>
> </property>
> ```{code}
> we will get
>
> {code:java}
> ```
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
> at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:95)
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:38)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742)
> at
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:478)
> at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:245)
> ```{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
