I have a question about Hive + Kerberos. Perhaps I'm missing something, perhaps it's an oversight, perhaps it's a bug.
I can get a TGT ticket using kinit, but it's easier for me to get one using JAAS since there's no dependency on an external command and I can nuke the keytab file immediately after I've authenticated myself. (Obviously I keep a protected copy around somewhere, it's just not available for anyone with the right access to be able to use.) The code looks something like: 1. create LoginContext 2. login using keytab file, etc. 3. make privileged call to create Connection within Subject.doAs(lc.getSubject(), ...) call. However the DriverManager.getConnection() ultimately calls some Hive code which in turn creates a UserGroupInformation object. I have a valid Subject but it looks like the UGI ignores it and wants a TGT created by the external kinit command. I tried creating the object myself but UGI uses its own implementation of Principal. That means that I can't use UserGroupInformation.createUGIFromSubject() because: 1. using a Subject with a KerberosPrincipal says the User object (from where?) returns a null value and it throws an exception, 2. using a Subject with a KerberosPrincipal and a User created with a bit of reflection still returns that null value, probably because the code that grabs the User principal off the list of privateCredentials just grabs the first one so it still sees the one above. 3. using a Subject where I explicitly remove the KerberosPrincipal after adding that User created with a bit of reflection results in an error since I don't have a KerberosPrincipal for my subject. I know that UserGroupInformation is a Hadoop class, not a Hive class, but maybe there's some insights here since the Hive JDBC Driver uses it behind the scenes. Am I missing something? I can't be the only person who wants to manage their own Subject while connecting to a Hive instance. Bear Giles Sr. Java Application Engineer bgi...@snaplogic.com Mobile: 720-354-0766 SnapLogic.com <http://www.snaplogic.com/> | We're Hiring <http://www.snaplogic.com/about-us/jobs>! <http://www.snaplogic.com/about-us/jobs> <https://www.linkedin.com/company/snaplogic_2> <https://twitter.com/SnapLogic> <https://www.facebook.com/SnapLogic> <https://plus.google.com/+Snaplogic/posts> <http://video.snaplogic.com/> <http://www.snaplogic.com/> SnapLogic Inc | 929 Pearl St #200 | Boulder | 80302 | Colorado SnapLogic Inc | 2 W Fifth Avenue Fourth Floor | San Mateo | 94402 | California This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet.