You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "sdhalex (Jira)" <ji...@apache.org> on 2019/12/24 14:24:00 UTC
[jira] [Commented] (LIVY-49) Spark + Sentry + Kerberos don't add
up?
[ https://issues.apache.org/jira/browse/LIVY-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17002856#comment-17002856 ]
sdhalex commented on LIVY-49:
-----------------------------
Excuse me, has this bug been fixed in a later version? Or need we still do the same workaround by losing ability to talk to Hive and HBase secure clusters ? Thx. [~vanzin]
> Spark + Sentry + Kerberos don't add up?
> ---------------------------------------
>
> Key: LIVY-49
> URL: https://issues.apache.org/jira/browse/LIVY-49
> Project: Livy
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.1
> Reporter: Kostas Sakellis
> Priority: Major
>
> File by: https://github.com/Tagar
> https://github.com/cloudera/livy/issues/36
> Getting following error stack
> {code}
> The Spark session could not be created in the cluster:
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> at org.apache.spark.deploy.SparkSubmit$.doRunMain$1(SparkSubmit.scala:160)
> at org.apache.spark.deploy.SparkSubmit$.submit(SparkSubmit.scala:205)
> at org.apache.spark.deploy.SparkSubmit$.main(SparkSubmit.scala:120)
> at org.apache.spark.deploy.SparkSubmit.main(SparkSubmit.scala) )
> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:466)
> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:234)
> at org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:74)
> ... 35 more
> {code}
> My understanding that hive.server2.enable.impersonation and hive.server2.enable.doAs should be enabled to make UserGroupInformation.doAs() work?
> When I try to enable these parameters, Cloudera Manager shows error:
> Hive Impersonation is enabled for Hive Server2 role 'HiveServer2 (hostname)'.
> Hive Impersonation should be disabled to enable Hive authorization using Sentry
> So Spark-Hive conflicts with Sentry?
> Environment: Hue 3.9 Spark Notebooks + Livy Server (built from master). CDH 5.5.
> This is a kerberized cluster with Sentry.
> ps. I was using hue's keytab as hue user is normally (by default in CDH) is allowed to impersonate to other users. So very convenient for Spark Notebooks.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)