[ https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Saisai Shao resolved SPARK-18061. --------------------------------- Resolution: Fixed Fix Version/s: 2.3.0 Issue resolved by pull request 18628 [https://github.com/apache/spark/pull/18628] > Spark Thriftserver needs to create SPNego principal > --------------------------------------------------- > > Key: SPARK-18061 > URL: https://issues.apache.org/jira/browse/SPARK-18061 > Project: Spark > Issue Type: Bug > Components: SQL > Affects Versions: 1.6.1, 2.0.1 > Reporter: Chandana Mirashi > Fix For: 2.3.0 > > > Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a > 401 authentication error when receiving beeline HTTP request (with end user > as kerberos principal). The similar command works with Hive Thriftserver. > What we find is Hive thriftserver CLI service creates both hive service and > SPNego principal when kerberos is enabled whereas Spark Thriftserver > only creates hive service principal. > {code:title=CLIService.java|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled()) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf); > this.serviceUGI = Utils.getUGI(); > } catch (IOException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } catch (LoginException e) { > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e); > } > // Also try creating a UGI object for the SPNego principal > String principal = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL); > String keyTabFile = > hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB); > if (principal.isEmpty() || keyTabFile.isEmpty()) { > LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal + > ", ketabFile: " + keyTabFile); > } else { > try { > this.httpUGI = > HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf); > LOG.info("SPNego httpUGI successfully created."); > } catch (IOException e) { > LOG.warn("SPNego httpUGI creation failed: ", e); > } > } > } > {code} > {code:title=SparkSQLCLIService.scala|borderStyle=solid} > if (UserGroupInformation.isSecurityEnabled) { > try { > HiveAuthFactory.loginFromKeytab(hiveConf) > sparkServiceUGI = Utils.getUGI() > setSuperField(this, "serviceUGI", sparkServiceUGI) > } catch { > case e @ (_: IOException | _: LoginException) => > throw new ServiceException("Unable to login to kerberos with given > principal/keytab", e) > } > } > {code} > The patch will add missing SPNego principal to Spark Thriftserver. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org