You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Saisai Shao (JIRA)" <ji...@apache.org> on 2017/09/06 01:41:02 UTC
[jira] [Resolved] (SPARK-18061) Spark Thriftserver needs to create
SPNego principal
[ https://issues.apache.org/jira/browse/SPARK-18061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Saisai Shao resolved SPARK-18061.
---------------------------------
Resolution: Fixed
Fix Version/s: 2.3.0
Issue resolved by pull request 18628
[https://github.com/apache/spark/pull/18628]
> Spark Thriftserver needs to create SPNego principal
> ---------------------------------------------------
>
> Key: SPARK-18061
> URL: https://issues.apache.org/jira/browse/SPARK-18061
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 1.6.1, 2.0.1
> Reporter: Chandana Mirashi
> Fix For: 2.3.0
>
>
> Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a 401 authentication error when receiving beeline HTTP request (with end user as kerberos principal). The similar command works with Hive Thriftserver.
> What we find is Hive thriftserver CLI service creates both hive service and SPNego principal when kerberos is enabled whereas Spark Thriftserver
> only creates hive service principal.
> {code:title=CLIService.java|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled()) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf);
> this.serviceUGI = Utils.getUGI();
> } catch (IOException e) {
> throw new ServiceException("Unable to login to kerberos with given principal/keytab", e);
> } catch (LoginException e) {
> throw new ServiceException("Unable to login to kerberos with given principal/keytab", e);
> }
> // Also try creating a UGI object for the SPNego principal
> String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
> String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
> if (principal.isEmpty() || keyTabFile.isEmpty()) {
> LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
> ", ketabFile: " + keyTabFile);
> } else {
> try {
> this.httpUGI = HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
> LOG.info("SPNego httpUGI successfully created.");
> } catch (IOException e) {
> LOG.warn("SPNego httpUGI creation failed: ", e);
> }
> }
> }
> {code}
> {code:title=SparkSQLCLIService.scala|borderStyle=solid}
> if (UserGroupInformation.isSecurityEnabled) {
> try {
> HiveAuthFactory.loginFromKeytab(hiveConf)
> sparkServiceUGI = Utils.getUGI()
> setSuperField(this, "serviceUGI", sparkServiceUGI)
> } catch {
> case e @ (_: IOException | _: LoginException) =>
> throw new ServiceException("Unable to login to kerberos with given principal/keytab", e)
> }
> }
> {code}
> The patch will add missing SPNego principal to Spark Thriftserver.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org