You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "sdhalex (Jira)" <ji...@apache.org> on 2019/12/24 14:24:00 UTC

[jira] [Commented] (LIVY-49) Spark + Sentry + Kerberos don't add up?

    [ https://issues.apache.org/jira/browse/LIVY-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17002856#comment-17002856 ] 

sdhalex commented on LIVY-49:
-----------------------------

Excuse me,  has this bug been fixed in a later version?  Or need we still do the same workaround by losing ability to talk to Hive and HBase secure clusters ? Thx.  [~vanzin]
                             


> Spark + Sentry + Kerberos don't add up?
> ---------------------------------------
>
>                 Key: LIVY-49
>                 URL: https://issues.apache.org/jira/browse/LIVY-49
>             Project: Livy
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 0.1
>            Reporter: Kostas Sakellis
>            Priority: Major
>
> File by: https://github.com/Tagar
> https://github.com/cloudera/livy/issues/36
> Getting following error stack
> {code}
> The Spark session could not be created in the cluster: 
>     at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671) 
>     at org.apache.spark.deploy.SparkSubmit$.doRunMain$1(SparkSubmit.scala:160) 
>     at org.apache.spark.deploy.SparkSubmit$.submit(SparkSubmit.scala:205) 
>     at org.apache.spark.deploy.SparkSubmit$.main(SparkSubmit.scala:120) 
>     at org.apache.spark.deploy.SparkSubmit.main(SparkSubmit.scala) ) 
>     at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:466) 
>     at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:234) 
>     at org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:74) 
>     ... 35 more
> {code}
> My understanding that hive.server2.enable.impersonation and hive.server2.enable.doAs should be enabled to make UserGroupInformation.doAs() work?
> When I try to enable these parameters, Cloudera Manager shows error:
> Hive Impersonation is enabled for Hive Server2 role 'HiveServer2 (hostname)'. 
> Hive Impersonation should be disabled to enable Hive authorization using Sentry
> So Spark-Hive conflicts with Sentry?
> Environment: Hue 3.9 Spark Notebooks + Livy Server (built from master). CDH 5.5.
> This is a kerberized cluster with Sentry.
> ps. I was using hue's keytab as hue user is normally (by default in CDH) is allowed to impersonate to other users. So very convenient for Spark Notebooks.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)