[jira] [Commented] (HIVE-13391) add an option to LLAP to use keytab to authenticate to read data

["Siddharth Seth (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HIVE-13391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15220744#comment-15220744 ] 

Siddharth Seth commented on HIVE-13391:
---------------------------------------

We have to login from keytab and then doAs - maybe we can do that right when the daemon starts up - so that all other execution is within this context. I believe threads etc are taken care of.
Tez does not do any kerberos logins. What it does instead is to create a ugi with the tokens - and run everything within a doAs block using this ugi. I'd imagine it will be the same for a ugi with kerberos credentials.

For the tokens - I don't think we need to retain this functionality at all. For regular Tez jobs - the kerberos login should be sufficient (including to talk to HBase etc).

FileSystem.get() - eventually goes and looks up a cache to see if an instance has already been created. That uses the ugi as a key. In ContainerRunner (or somewhere i the execution code) - we go and do a FileSystem.closeAllForUgi() - to get rid of FileSystem instances which were created for a fragment. With a single ugi - a single FS ends up getting used, and the closeAll cannot be invoked. The perf implications of this is something I'm not sure about.

> add an option to LLAP to use keytab to authenticate to read data
> ----------------------------------------------------------------
>
>                 Key: HIVE-13391
>                 URL: https://issues.apache.org/jira/browse/HIVE-13391
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>         Attachments: HIVE-13391.patch
>
>
> This can be used for non-doAs case to allow access to clients who don't propagate HDFS tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)