You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by pr...@apache.org on 2016/12/09 22:57:45 UTC
[2/2] hive git commit: HIVE-15403: LLAP: Login with kerberos before
starting the daemon (Prasanth Jayachandran reviewed by Sergey Shelukhin)
HIVE-15403: LLAP: Login with kerberos before starting the daemon (Prasanth Jayachandran reviewed by Sergey Shelukhin)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/e8bf7255
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/e8bf7255
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/e8bf7255
Branch: refs/heads/master
Commit: e8bf725596d527040ec75ec460aae7a524064a45
Parents: 88e86b9
Author: Prasanth Jayachandran <pr...@apache.org>
Authored: Fri Dec 9 14:56:04 2016 -0800
Committer: Prasanth Jayachandran <pr...@apache.org>
Committed: Fri Dec 9 14:57:25 2016 -0800
----------------------------------------------------------------------
.../org/apache/hadoop/hive/llap/LlapUtil.java | 45 ++++++++++++++++----
.../hive/llap/daemon/impl/LlapDaemon.java | 14 ++++--
2 files changed, 48 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/e8bf7255/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
----------------------------------------------------------------------
diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
index 8352943..17913f0 100644
--- a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
+++ b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java
@@ -57,15 +57,44 @@ public class LlapUtil {
}
}
+ /**
+ * Login using kerberos. But does not change the current logged in user.
+ *
+ * @param principal - kerberos principal
+ * @param keytabFile - keytab file
+ * @return UGI
+ * @throws IOException - if keytab file cannot be found
+ */
public static UserGroupInformation loginWithKerberos(
- String principal, String keytabFile) throws IOException {
- if (!UserGroupInformation.isSecurityEnabled()) return null;
- if (principal.isEmpty() || keytabFile.isEmpty()) {
- throw new RuntimeException("Kerberos principal and/or keytab are empty");
- }
- LOG.info("Logging in as " + principal + " via " + keytabFile);
- return UserGroupInformation.loginUserFromKeytabAndReturnUGI(
- SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keytabFile);
+ String principal, String keytabFile) throws IOException {
+ if (!UserGroupInformation.isSecurityEnabled()) {
+ return null;
+ }
+ if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) {
+ throw new RuntimeException("Kerberos principal and/or keytab are null or empty");
+ }
+ final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
+ LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile);
+ return UserGroupInformation.loginUserFromKeytabAndReturnUGI(serverPrincipal, keytabFile);
+ }
+
+ /**
+ * Login using kerberos and also updates the current logged in user
+ *
+ * @param principal - kerberos principal
+ * @param keytabFile - keytab file
+ * @throws IOException - if keytab file cannot be found
+ */
+ public static void loginWithKerberosAndUpdateCurrentUser(String principal, String keytabFile) throws IOException {
+ if (!UserGroupInformation.isSecurityEnabled()) {
+ return;
+ }
+ if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) {
+ throw new RuntimeException("Kerberos principal and/or keytab is null or empty");
+ }
+ final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
+ LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile + " and updating current logged in user");
+ UserGroupInformation.loginUserFromKeytab(serverPrincipal, keytabFile);
}
private final static Pattern hostsRe = Pattern.compile("[^A-Za-z0-9_-]");
http://git-wip-us.apache.org/repos/asf/hive/blob/e8bf7255/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
----------------------------------------------------------------------
diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
index d90b156..b7e05d3 100644
--- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
+++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java
@@ -63,6 +63,7 @@ import org.apache.hadoop.hive.ql.udf.generic.GenericUDF;
import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge;
import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge.UdfWhitelistChecker;
import org.apache.hadoop.metrics2.util.MBeans;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.CompositeService;
import org.apache.hadoop.util.ExitUtil;
@@ -141,13 +142,20 @@ public class LlapDaemon extends CompositeService implements ContainerRunner, Lla
}
String hostName = MetricsUtils.getHostName();
try {
- daemonId = new DaemonId(UserGroupInformation.getCurrentUser().getShortUserName(),
- LlapUtil.generateClusterName(daemonConf), hostName, appName, System.currentTimeMillis());
+ // re-login with kerberos. This makes sure all daemons have the same login user.
+ if (UserGroupInformation.isSecurityEnabled()) {
+ final String daemonPrincipal = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_PRINCIPAL);
+ final String daemonKeytab = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
+ LlapUtil.loginWithKerberosAndUpdateCurrentUser(daemonPrincipal, daemonKeytab);
+ }
+ String currentUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ LOG.info("Starting daemon as user: {}", currentUser);
+ daemonId = new DaemonId(currentUser, LlapUtil.generateClusterName(daemonConf),
+ hostName, appName, System.currentTimeMillis());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
-
this.maxJvmMemory = getTotalHeapSize();
this.llapIoEnabled = ioEnabled;
this.executorMemoryPerInstance = executorMemoryBytes;