You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Vishal Suvagia (JIRA)" <ji...@apache.org> on 2017/05/31 06:34:04 UTC

[jira] [Created] (AMBARI-21154) Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache

Vishal Suvagia created AMBARI-21154:
---------------------------------------

             Summary: Add JAAS config properties for Atlas Hive hook in HiveCli to use kerberos ticket-cache
                 Key: AMBARI-21154
                 URL: https://issues.apache.org/jira/browse/AMBARI-21154
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.5.1
            Reporter: Vishal Suvagia
            Assignee: Vishal Suvagia
            Priority: Minor
             Fix For: 2.5.2


In a kerberized environment, Atlas hook uses JAAS configuration section named "KakfaClient" to authenticate with Kafka broker. In a typical Hive deployment this configuration section is set to use the keytab and principal of HiveServer2 process. The hook running in HiveCLI might fail to authenticate with Kafka if the user can't read the configured keytab.

Given that HiveCLI users would have performed kinit, the hook in HiveCLI should use the ticket-cache generated by kinit. When ticket cache is not available (for example in HiveServer2), the hook should use the configuration provided in KafkaClient JAAS section

As a solution need to add below in {{hive atlas-application.properties}} by default if atlas-hive hook is enabled in secure mode
{code:none}
atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
{code}





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)