You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Bear Giles <bg...@snaplogic.com> on 2016/08/24 23:28:23 UTC
Hive + Kerberos question
I have a question about Hive + Kerberos. Perhaps I'm missing something,
perhaps it's an oversight, perhaps it's a bug.
I can get a TGT ticket using kinit, but it's easier for me to get one using
JAAS since there's no dependency on an external command and I can nuke the
keytab file immediately after I've authenticated myself. (Obviously I keep
a protected copy around somewhere, it's just not available for anyone with
the right access to be able to use.)
The code looks something like:
1. create LoginContext
2. login using keytab file, etc.
3. make privileged call to create Connection within
Subject.doAs(lc.getSubject(), ...) call.
However the DriverManager.getConnection() ultimately calls some Hive code
which in turn creates a UserGroupInformation object. I have a valid Subject
but it looks like the UGI ignores it and wants a TGT created by the
external kinit command.
I tried creating the object myself but UGI uses its own implementation of
Principal. That means that I can't use
UserGroupInformation.createUGIFromSubject() because:
1. using a Subject with a KerberosPrincipal says the User object (from
where?) returns a null value and it throws an exception,
2. using a Subject with a KerberosPrincipal and a User created with a bit
of reflection still returns that null value, probably because the code that
grabs the User principal off the list of privateCredentials just grabs the
first one so it still sees the one above.
3. using a Subject where I explicitly remove the KerberosPrincipal after
adding that User created with a bit of reflection results in an error since
I don't have a KerberosPrincipal for my subject.
I know that UserGroupInformation is a Hadoop class, not a Hive class, but
maybe there's some insights here since the Hive JDBC Driver uses it behind
the scenes.
Am I missing something? I can't be the only person who wants to manage
their own Subject while connecting to a Hive instance.
Bear Giles
Sr. Java Application Engineer
bgiles@snaplogic.com
Mobile: 720-354-0766
SnapLogic.com <http://www.snaplogic.com/> | We're Hiring
<http://www.snaplogic.com/about-us/jobs>!
<http://www.snaplogic.com/about-us/jobs>
<https://www.linkedin.com/company/snaplogic_2>
<https://twitter.com/SnapLogic> <https://www.facebook.com/SnapLogic>
<https://plus.google.com/+Snaplogic/posts>
<http://video.snaplogic.com/>
<http://www.snaplogic.com/>
SnapLogic Inc | 929 Pearl St #200 | Boulder | 80302 | Colorado
SnapLogic Inc | 2 W Fifth Avenue Fourth Floor | San Mateo | 94402 |
California
This message is confidential. It may also be privileged or otherwise
protected by work product immunity or other legal rules. If you have
received it by mistake, please let us know by e-mail reply and delete it
from your system; you may not copy this message or disclose its contents to
anyone. The integrity and security of this message cannot be guaranteed on
the Internet.