Adam Szita created HIVE-21922:
---------------------------------
Summary: Allow keytabs to be reused in LLAP yarn applications
through Yarn localization
Key: HIVE-21922
URL: https://issues.apache.org/jira/browse/HIVE-21922
Project: Hive
Issue Type: New Feature
Reporter: Adam Szita
Assignee: Adam Szita
In secure clusters LLAP has to be able to reach keytab files for kerberos login.
Currently _hive.llap.task.scheduler.am.registry.keytab.file_ and
_hive.llap.daemon.keytab.file_ configs are used to define the path of such
keytabs on the Tez AM and LLAP daemon side respectively. Both presume local
file system paths only - hence all nodes in the LLAP cluster (even those that
eventually don't end up executing a daemon...) have to have Hive's keytab
preinstalled on them.
The above is described by this strategy:
[Pre-installed_Keytabs_for_AM_and_containers|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Pre-installed_Keytabs_for_AM_and_containers]
Another approach can be
[Keytabs_for_AM_and_containers_distributed_via_YARN|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Keytabs_for_AM_and_containers_distributed_via_YARN]
where we rely on HDFS and Yarn resource localization, and no prior keytab
distribution is required. I intend to make this strategy an option for
Hive-LLAP in this jira.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
