You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sqoop.apache.org by "Dian Fu (JIRA)" <ji...@apache.org> on 2015/12/25 09:05:49 UTC

[jira] [Comment Edited] (SQOOP-2756) Sqoop2: Add impersonation support for kite hive

    [ https://issues.apache.org/jira/browse/SQOOP-2756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15071410#comment-15071410 ] 

Dian Fu edited comment on SQOOP-2756 at 12/25/15 8:05 AM:
----------------------------------------------------------

After investigation of this issue, I found that the root cause of this issue is as follows:
* User {{Sqoop2}} impersonate {{SqoopClient}} and tries to connect to Hive Metastore.
* Hive Metastore only support token based proxy user. So authentication failed.

The solution can be as follows:
* User {{Sqoop2}} create a delegation token with name {{SqoopImpersonationToken}} for user {{SqoopClient}} in the {{initialize}} method {{KiteToInitializer/KiteFromInitializer}}
* Add the generated delegation token into proxy user UGI and set configuration {{hive.metastore.token.signature}} as {{SqoopImpersonationToken}}
* Access Hive Metastore with this UGI
PS: Hcatlog takes similar approach to impersonate another user. I have verified that the above method can work.

But I encountered the following issue which blocked me:
* There is no proper way to set configuration {{hive.metastore.token.signature}} as kite doesn't expose the configuration object.

Any thoughts?


was (Author: dian.fu):
After investigation of this issue, I found that the root cause of this issue is as follows:
* User {{Sqoop2}} impersonate {{SqoopClient}} and tries to connect to Hive Metastore.
* Hive Metastore only support token based proxy user. So authentication failed.
The solution can be as follows:
* User {{Sqoop2}} create a delegation token with name {{SqoopImpersonationToken}} for user {{SqoopClient}} in the {{initialize}} method {{KiteToInitializer/KiteFromInitializer}}
* Add the generated delegation token into proxy user UGI and set configuration {{hive.metastore.token.signature}} as {{SqoopImpersonationToken}}
* Access Hive Metastore with this UGI
PS: Hcatlog takes similar approach to impersonate another user. I have verified that the above method can work. But I encountered the following issue which blocked me:
* There is no proper way to set configuration {{hive.metastore.token.signature}} as kite doesn't expose the configuration object.

Any thoughts?

> Sqoop2: Add impersonation support for kite hive
> -----------------------------------------------
>
>                 Key: SQOOP-2756
>                 URL: https://issues.apache.org/jira/browse/SQOOP-2756
>             Project: Sqoop
>          Issue Type: Sub-task
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>             Fix For: 1.99.7
>
>
> Based on the patch of SQOOP-2752 (that's to say adding impersonation support for kite), when I runn test case {{FromRDBMSToKiteHiveTest}} on a secured mini cluster, I encountered the following exception:
> {code}
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
>         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>         at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>         at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
>         at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
>         at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
>         at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
>         at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
>         at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:409)
>         at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:230)
>         at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:175)
>         at org.kitesdk.data.spi.hive.MetaStoreUtil.<init>(MetaStoreUtil.java:82)
>         at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.getMetaStoreUtil(HiveAbstractMetadataProvider.java:63)
>         at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:270)
>         at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:255)
>         at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.exists(HiveAbstractMetadataProvider.java:159)
>         at org.kitesdk.data.spi.filesystem.FileSystemDatasetRepository.exists(FileSystemDatasetRepository.java:257)
>         at org.kitesdk.data.Datasets.exists(Datasets.java:629)
>         at org.kitesdk.data.Datasets.exists(Datasets.java:646)
>         at org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:75)
>         at org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:69)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)