Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-3413

Use DIGEST mechanism in creating Hive MetaStoreClient for proxy users when SASL authentication is enabled

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 1.1.0
    • Component/s: Storage - Hive
    • Labels:
      None

      Description

      Currently we fail to create HiveMetaStoreClient for proxy users when SASL authentication is enabled between HiveMeaStore server and clients. We fail to create the client because when SASL (kerberos or vendor specific custom SASL implementations) is enabled some vendor specific versions of Hive only accept DIGEST as the authentication mechanism for proxy client.

      To fix this issue:
      1. Drillbit need to create a HiveMetaStoreClient with its credentials (these are directly credentials and not proxy)
      2. Whenever Drillbit need to create a HiveMetaStoreClient for proxy user (user being impersonated), get the delegation token for proxy user from MetaStore server using the Drillbit process user HiveMetaStoreClient. Set this delegation token in a new HiveConf object and pass it to HiveMetaStoreClient.

        Attachments

          Activity

            People

            • Assignee:
              vkorukanti Venki Korukanti
              Reporter:
              vkorukanti Venki Korukanti
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: