hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Seth (JIRA)" <>
Subject [jira] [Commented] (HIVE-13391) add an option to LLAP to use keytab to authenticate to read data
Date Thu, 31 Mar 2016 22:07:26 GMT


Siddharth Seth commented on HIVE-13391:

We have to login from keytab and then doAs - maybe we can do that right when the daemon starts
up - so that all other execution is within this context. I believe threads etc are taken care
Tez does not do any kerberos logins. What it does instead is to create a ugi with the tokens
- and run everything within a doAs block using this ugi. I'd imagine it will be the same for
a ugi with kerberos credentials.

For the tokens - I don't think we need to retain this functionality at all. For regular Tez
jobs - the kerberos login should be sufficient (including to talk to HBase etc).

FileSystem.get() - eventually goes and looks up a cache to see if an instance has already
been created. That uses the ugi as a key. In ContainerRunner (or somewhere i the execution
code) - we go and do a FileSystem.closeAllForUgi() - to get rid of FileSystem instances which
were created for a fragment. With a single ugi - a single FS ends up getting used, and the
closeAll cannot be invoked. The perf implications of this is something I'm not sure about.

> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>                 Key: HIVE-13391
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13391.patch
> This can be used for non-doAs case to allow access to clients who don't propagate HDFS

This message was sent by Atlassian JIRA

View raw message