You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Chaoyu Tang (JIRA)" <ji...@apache.org> on 2016/12/22 21:56:58 UTC

[jira] [Commented] (HIVE-15485) Investigate the DoAs failure in HoS

    [ https://issues.apache.org/jira/browse/HIVE-15485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15771202#comment-15771202 ] 

Chaoyu Tang commented on HIVE-15485:
------------------------------------

HIVE-14383 is the right way to renew the delegation token for a long running HoS session. Spark needs the principal/keytab passed in via --principal and --keytab options, and does the renewal by copying the keytab to the cluster and handling login to kerberos inside the application. 
But the option --principal, --keytab could not work with --proxy-user in spark-submit.sh as suggested by [~vanzin], so at this moment we could support either the token renewal or the impersonation, but not both.

> Investigate the DoAs failure in HoS
> -----------------------------------
>
>                 Key: HIVE-15485
>                 URL: https://issues.apache.org/jira/browse/HIVE-15485
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Chaoyu Tang
>            Assignee: Chaoyu Tang
>
> With DoAs enabled, HoS failed with following errors:
> {code}
> Exception in thread "main" org.apache.hadoop.security.AccessControlException: systest tries to renew a token with renewer hive
> 	at org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.renewToken(AbstractDelegationTokenSecretManager.java:484)
> 	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.renewDelegationToken(FSNamesystem.java:7543)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.renewDelegationToken(NameNodeRpcServer.java:555)
> 	at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.renewDelegationToken(AuthorizationProviderProxyClientProtocol.java:674)
> 	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.renewDelegationToken(ClientNamenodeProtocolServerSideTranslatorPB.java:999)
> 	at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
> 	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
> 	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2141)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2137)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1783)
> 	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2135)
> {code}
> It is related to the change from HIVE-14383. It looks like that SparkSubmit logs in Kerberos with passed in hive principal/keytab and then tries to create a hdfs delegation token for user systest with renewer hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)