[jira] [Resolved] (SPARK-18061) Spark Thriftserver needs to create SPNego principal

[Saisai Shao (JIRA)]

     [ 
https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Saisai Shao resolved SPARK-18061.
---------------------------------
       Resolution: Fixed
    Fix Version/s: 2.3.0

Issue resolved by pull request 18628
[https://github.com/apache/spark/pull/18628]

> Spark Thriftserver needs to create SPNego principal
> ---------------------------------------------------
>
>                 Key: SPARK-18061
>                 URL: https://issues.apache.org/jira/browse/SPARK-18061
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.6.1, 2.0.1
>            Reporter: Chandana Mirashi
>             Fix For: 2.3.0
>
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a 
> 401 authentication error when receiving beeline HTTP request (with end user 
> as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and 
> SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
>       try {
>         HiveAuthFactory.loginFromKeytab(hiveConf);
>         this.serviceUGI = Utils.getUGI();
>       } catch (IOException e) {
>         throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e);
>       } catch (LoginException e) {
>         throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e);
>       }
>       // Also try creating a UGI object for the SPNego principal
>       String principal = 
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
>       String keyTabFile = 
> hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
>       if (principal.isEmpty() || keyTabFile.isEmpty()) {
>         LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
>             ", ketabFile: " + keyTabFile);
>       } else {
>         try {
>           this.httpUGI = 
> HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
>           LOG.info("SPNego httpUGI successfully created.");
>         } catch (IOException e) {
>           LOG.warn("SPNego httpUGI creation failed: ", e);
>         }
>       }
>     }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
>       try {
>         HiveAuthFactory.loginFromKeytab(hiveConf)
>         sparkServiceUGI = Utils.getUGI()
>         setSuperField(this, "serviceUGI", sparkServiceUGI)
>       } catch {
>         case e @ (_: IOException | _: LoginException) =>
>           throw new ServiceException("Unable to login to kerberos with given 
> principal/keytab", e)
>       }
>     }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org