You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Rémy SAISSY (JIRA)" <ji...@apache.org> on 2014/08/20 11:07:25 UTC

[jira] [Created] (HIVE-7798) Authentication tokens lost in a UDTF on a secure cluster

Rémy SAISSY created HIVE-7798:
---------------------------------

             Summary: Authentication tokens lost in a UDTF on a secure cluster
                 Key: HIVE-7798
                 URL: https://issues.apache.org/jira/browse/HIVE-7798
             Project: Hive
          Issue Type: Bug
          Components: UDF
    Affects Versions: 0.13.0
            Reporter: Rémy SAISSY


Context:
 - Secure Cluster running Hive 0.13, Hadoop 2.4 and HBase 0.98 (HDP 2.1)
 - UDTF written in Java

Action:
In the UDTF, HBase is contacted through its Java API in order to add a few records. However any requests to HBase fails because tokens are not passed to the call to HBase.

Executing the following code in the UDTF:
Configuration conf = HBaseConfiguration.create();
UserGroupInformation.setConfiguration(conf);
HTable  hbaseErrorTable = new HTable(conf, "foo :foo");

Leads to this error:
2014-07-22 14:44:04,134 DEBUG [main] org.apache.hadoop.ipc.RpcClient: Connecting to node2.cluster.fr/10.197.40.54:60020
2014-07-22 14:44:04,135 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:expecteduser (auth:SIMPLE) from:org.apache.hadoop.hbase.ipc.RpcClient$Connection.setupIOstreams(RpcClient.java:915)
2014-07-22 14:44:04,135 DEBUG [main] org.apache.hadoop.hbase.security.HBaseSaslRpcClient: Creating SASL GSSAPI client. Server's Kerberos principal name is hbase/node2.cluster.fr@REALM
2014-07-22 14:44:04,137 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:expecteduser (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2014-07-22 14:44:04,138 DEBUG [main] org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:expecteduser (auth:SIMPLE) from:org.apache.hadoop.hbase.ipc.RpcClient$Connection.handleSaslConnectionFailure(RpcClient.java:818)
2014-07-22 14:44:04,138 WARN [main] org.apache.hadoop.ipc.RpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2014-07-22 14:44:04,138 FATAL [main] org.apache.hadoop.ipc.RpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.

The workaround is to add the following in the UDTF before actually contacting HBase:

public static void logFromKeytabAndLogoutCurrentUser(String user, String path) throws IOException
{
//UserGroupInformation.loginUserFromKeytab("expecteduser@REALM", "/etc/security/keytabs/expecteduser.headless.keytab");
UserGroupInformation.loginUserFromKeytab(user, path);
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context);
subject.getPrincipals().clear();
subject.getPrivateCredentials().clear();
subject.getPublicCredentials().clear();
}

However, it implies to have the keytab to perform a new authentication from inside the UDTF.

I'm not sure wether this bug is related to Hive UDTF or to YARN Containers.



--
This message was sent by Atlassian JIRA
(v6.2#6252)