[ATLAS-2548] Use of IBM JDK results in kafka login exceptions in a kerberized environment - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 0.8-incubating
Fix Version/s: None
Component/s: atlas-intg
Labels:
- security

Description

Our product uses IBM JDK while interacting with hive metastore directly to create metadata. When Atlas-Hive hook is enabled in kerberized environment, our application logs are filled with the following errors as the Kerberos login module is not found in the path specified by atlas application properties file. IBM JDK has some more restrictions on Kerberos support where some of the options supported by sun JDK are not available.

ERROR - Failed to notify atlas for entity [[{Id='(type: hive_db, id: <unassigned>)', traits=[], values={owner=bigsql, ownerType=1, qualifiedName=tpcdsorc1000@bigsql502

org.apache.kafka.common.KafkaException: Failed to construct kafka producer
    at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:338)
    at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:188)
    at org.apache.atlas.kafka.KafkaNotification.createProducer(KafkaNotification.java:289)
    at org.apache.atlas.kafka.KafkaNotification.sendInternal(KafkaNotification.java:210)
    at org.apache.atlas.notification.AbstractNotification.send(AbstractNotification.java:84)
    at org.apache.atlas.hook.AtlasHook.notifyEntitiesInternal(AtlasHook.java:133)
    at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:118)
    at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:171)
    at org.apache.atlas.hive.hook.HiveHook.access$300(HiveHook.java:83)
    at org.apache.atlas.hive.hook.HiveHook$3.run(HiveHook.java:221)
    at java.security.AccessController.doPrivileged(AccessController.java:686)
    at javax.security.auth.Subject.doAs(Subject.java:569)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
    at org.apache.atlas.hive.hook.HiveHook.notifyAsPrivilegedAction(HiveHook.java:233)
    at org.apache.atlas.hive.hook.HiveHook$2.run(HiveHook.java:203)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
    at java.util.concurrent.FutureTask.run(FutureTask.java:277)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.lang.Thread.run(Thread.java:785)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:86)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:71)
    at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:85)
    at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
    ... 19 more
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule

Attaching a patch to the defect we have tested to support IBM JDK and Kerberos on 0.8 level of Atlas

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

InMemoryJAASConfiguration.java.patch
09/Apr/18 19:20
5 kB
Sailaja Navvluru

Activity

People

Assignee:: Unassigned

Reporter:: Sailaja Navvluru

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Apr/18 19:25

Updated:: 08/Sep/18 00:34