You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by pr...@apache.org on 2016/12/09 22:57:45 UTC

[2/2] hive git commit: HIVE-15403: LLAP: Login with kerberos before starting the daemon (Prasanth Jayachandran reviewed by Sergey Shelukhin)

HIVE-15403: LLAP: Login with kerberos before starting the daemon (Prasanth Jayachandran reviewed by Sergey Shelukhin)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/e8bf7255
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/e8bf7255
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/e8bf7255

Branch: refs/heads/master
Commit: e8bf725596d527040ec75ec460aae7a524064a45
Parents: 88e86b9
Author: Prasanth Jayachandran <pr...@apache.org>
Authored: Fri Dec 9 14:56:04 2016 -0800
Committer: Prasanth Jayachandran <pr...@apache.org>
Committed: Fri Dec 9 14:57:25 2016 -0800

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/llap/LlapUtil.java   | 45 ++++++++++++++++----
 .../hive/llap/daemon/impl/LlapDaemon.java       | 14 ++++--
 2 files changed, 48 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/e8bf7255/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
----------------------------------------------------------------------
diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
index 8352943..17913f0 100644
--- a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
+++ b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
@@ -57,15 +57,44 @@ public class LlapUtil {
     }
   }
 
+  /**
+   * Login using kerberos. But does not change the current logged in user.
+   *
+   * @param principal  - kerberos principal
+   * @param keytabFile - keytab file
+   * @return UGI
+   * @throws IOException - if keytab file cannot be found
+   */
   public static UserGroupInformation loginWithKerberos(
-      String principal, String keytabFile) throws IOException {
-    if (!UserGroupInformation.isSecurityEnabled()) return null;
-    if (principal.isEmpty() || keytabFile.isEmpty()) {
-      throw new RuntimeException("Kerberos principal and/or keytab are empty");
-    }
-    LOG.info("Logging in as " + principal + " via " + keytabFile);
-    return UserGroupInformation.loginUserFromKeytabAndReturnUGI(
-        SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keytabFile);
+    String principal, String keytabFile) throws IOException {
+    if (!UserGroupInformation.isSecurityEnabled()) {
+      return null;
+    }
+    if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) {
+      throw new RuntimeException("Kerberos principal and/or keytab are null or empty");
+    }
+    final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
+    LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile);
+    return UserGroupInformation.loginUserFromKeytabAndReturnUGI(serverPrincipal, keytabFile);
+  }
+
+  /**
+   * Login using kerberos and also updates the current logged in user
+   *
+   * @param principal  - kerberos principal
+   * @param keytabFile - keytab file
+   * @throws IOException - if keytab file cannot be found
+   */
+  public static void loginWithKerberosAndUpdateCurrentUser(String principal, String keytabFile) throws IOException {
+    if (!UserGroupInformation.isSecurityEnabled()) {
+      return;
+    }
+    if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) {
+      throw new RuntimeException("Kerberos principal and/or keytab is null or empty");
+    }
+    final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
+    LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile + " and updating current logged in user");
+    UserGroupInformation.loginUserFromKeytab(serverPrincipal, keytabFile);
   }
 
   private final static Pattern hostsRe = Pattern.compile("[^A-Za-z0-9_-]");

http://git-wip-us.apache.org/repos/asf/hive/blob/e8bf7255/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
index d90b156..b7e05d3 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
@@ -63,6 +63,7 @@ import org.apache.hadoop.hive.ql.udf.generic.GenericUDF;
 import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge;
 import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge.UdfWhitelistChecker;
 import org.apache.hadoop.metrics2.util.MBeans;
+import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.service.CompositeService;
 import org.apache.hadoop.util.ExitUtil;
@@ -141,13 +142,20 @@ public class LlapDaemon extends CompositeService implements ContainerRunner, Lla
     }
     String hostName = MetricsUtils.getHostName();
     try {
-      daemonId = new DaemonId(UserGroupInformation.getCurrentUser().getShortUserName(),
-          LlapUtil.generateClusterName(daemonConf), hostName, appName, System.currentTimeMillis());
+      // re-login with kerberos. This makes sure all daemons have the same login user.
+      if (UserGroupInformation.isSecurityEnabled()) {
+        final String daemonPrincipal = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_PRINCIPAL);
+        final String daemonKeytab = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
+        LlapUtil.loginWithKerberosAndUpdateCurrentUser(daemonPrincipal, daemonKeytab);
+      }
+      String currentUser = UserGroupInformation.getCurrentUser().getShortUserName();
+      LOG.info("Starting daemon as user: {}", currentUser);
+      daemonId = new DaemonId(currentUser, LlapUtil.generateClusterName(daemonConf),
+        hostName, appName, System.currentTimeMillis());
     } catch (IOException ex) {
       throw new RuntimeException(ex);
     }
 
-
     this.maxJvmMemory = getTotalHeapSize();
     this.llapIoEnabled = ioEnabled;
     this.executorMemoryPerInstance = executorMemoryBytes;