You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2015/06/16 00:56:02 UTC

[jira] [Commented] (HIVE-11010) Accumulo storage handler queries via HS2 fail

    [ https://issues.apache.org/jira/browse/HIVE-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14587091#comment-14587091 ] 

Josh Elser commented on HIVE-11010:
-----------------------------------

Thanks for filing this. Was doing some debugging with [~taksaito] with the AccumuloStorageHandler -- loaded some data in both HBase and Accumulo, ran some Hive queries against both and found that when we ran the Accumulo queries via hiveserver (but not in the local client) both the queries would fail on the RPC handshakes. Short story, AccumuloStorageHandler queries with Kerberos on don't work with HiveServer2.

I think what was happening is that the additions to the AccumuloStorageHandler in HIVE-10857 don't work as expected because HS2 is going to be running with its own Kerberos credentials. I think we need to change how we set up the credentials inside of AccumuloStorageHandler so that it will work regardless of a local hive client or hs2 -- running a doAs with a PROXY instead of replacing the HS2 credentials.

The second half is that we'd need to make sure Accumulo itself is configured to allow HS2 to proxy on behalf of users -- not relevant for Hive code, but something to document for users to set up in Accumulo.

> Accumulo storage handler queries via HS2 fail
> ---------------------------------------------
>
>                 Key: HIVE-11010
>                 URL: https://issues.apache.org/jira/browse/HIVE-11010
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>    Affects Versions: 1.2.0, 1.2.1
>         Environment: Secure
>            Reporter: Takahiko Saito
>            Assignee: Josh Elser
>             Fix For: 1.2.1
>
>
> On Kerberized cluster, accumulo storage handler throws an error, "[usrname]@[principlaname] is not allowed to impersonate [username]" 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)