hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Seth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-13391) add an option to LLAP to use keytab to authenticate to read data
Date Thu, 31 Mar 2016 22:07:26 GMT

    [ https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15220744#comment-15220744
] 

Siddharth Seth commented on HIVE-13391:
---------------------------------------

We have to login from keytab and then doAs - maybe we can do that right when the daemon starts
up - so that all other execution is within this context. I believe threads etc are taken care
of.
Tez does not do any kerberos logins. What it does instead is to create a ugi with the tokens
- and run everything within a doAs block using this ugi. I'd imagine it will be the same for
a ugi with kerberos credentials.

For the tokens - I don't think we need to retain this functionality at all. For regular Tez
jobs - the kerberos login should be sufficient (including to talk to HBase etc).

FileSystem.get() - eventually goes and looks up a cache to see if an instance has already
been created. That uses the ugi as a key. In ContainerRunner (or somewhere i the execution
code) - we go and do a FileSystem.closeAllForUgi() - to get rid of FileSystem instances which
were created for a fragment. With a single ugi - a single FS ends up getting used, and the
closeAll cannot be invoked. The perf implications of this is something I'm not sure about.

> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
>                 Key: HIVE-13391
>                 URL: https://issues.apache.org/jira/browse/HIVE-13391
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't propagate HDFS
tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message