Robert, Thanks for the quick reply! Unfortunately Hive doesn't have any notion of an assertion, and we want to halt the job under certain conditions. So it's necessary to run Hive from the shell and check the output.
It sounds like shipping the keytab as part of the job may be the way forward for now, since I can't get Hive to pick up the delegation token, and Impala won't support it anyways. Cheers, Alan On Fri, Aug 29, 2014 at 1:57 PM, Robert Kanter <[email protected]> wrote: > Hi Alan, > > For the Hive shell actions: why not simply use the Hive action? You need > to also inject the credentials in the MR jobs launched by HiveCLI, but that > might not be possible from the shell action. > > For the impala shell actions: Impala doesn't currently support delegation > tokens, which is why we don't have an Impala action yet (OOZIE-1591 > <https://issues.apache.org/jira/browse/OOZIE-1591>). You'll need to > actually ship the Kerberos keytab with the action, or make it available on > every node in the cluster, and have the shell script do a kinit. I > personally haven't tried this, but I have heard of others who do this. > > > - Robert > > > > > On Fri, Aug 29, 2014 at 10:30 AM, Alan Gardner <[email protected]> > wrote: > > > Hi, > > > > I'm on CDH5, trying to move an Oozie flow from an unsecured cluster to a > > Kerberized one. I've configured the <credentials> section of the flow, > and > > the hive actions work properly. However, a few stages use shell actions > > with the Hive CLI, and these fail even though I've included "SET > > mapreduce.job.credentials.binary=$HADOOP_TOKEN_FILE_LOCATION;" as the > first > > line. Scripts which only hit the metastore work fine (ex. "SHOW TABLES"), > > but I can't submit queries that require MR jobs (this on MRv2). > > > > Any advice? > > > > P.S. I also have actions which use impala-shell, which doesn't seem to > pick > > up on the delegation token. But the Hive queries are my primary concern. > > > > Thanks, > > Alan > > > > -- > > > > > > -- > > > > > > > > > -- Alan Gardner Solutions Architect - CTO Office [email protected] | LinkedIn: http://www.linkedin.com/profile/view?id=65508699 | @alanctgardner <https://twitter.com/alanctgardner> Tel: +1 613 565 8696 x1218 Mobile: +1 613 897 5655 -- --
