Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-15485

Investigate the DoAs failure in HoS

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0
    • Spark
    • None

    Description

      With DoAs enabled, HoS failed with following errors:

      Exception in thread "main" org.apache.hadoop.security.AccessControlException: systest tries to renew a token with renewer hive
	at org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.renewToken(AbstractDelegationTokenSecretManager.java:484)
	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.renewDelegationToken(FSNamesystem.java:7543)
	at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.renewDelegationToken(NameNodeRpcServer.java:555)
	at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.renewDelegationToken(AuthorizationProviderProxyClientProtocol.java:674)
	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.renewDelegationToken(ClientNamenodeProtocolServerSideTranslatorPB.java:999)
	at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2141)
	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2137)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1783)
	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2135)

      It is related to the change from HIVE-14383. It looks like that SparkSubmit logs in Kerberos with passed in hive principal/keytab and then tries to create a hdfs delegation token for user systest with renewer hive.

      Attachments

        1. HIVE-15485.1.patch
          3 kB
          Chaoyu Tang
        2. HIVE-15485.2.patch
          3 kB
          Chaoyu Tang
        3. HIVE-15485.patch
          3 kB
          Chaoyu Tang

        Issue Links

          is blocked by

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-14383 SparkClientImpl should pass principal and keytab to spark-submit instead of calling kinit explicitely

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-16930 HoS should verify the value of Kerberos principal and keytab file before adding them to spark-submit command parameters

          • Major - Major loss of function.
          • Closed

          Activity

            People

              ctang Chaoyu Tang
              ctang Chaoyu Tang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: