Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-15485

Investigate the DoAs failure in HoS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0
    • Component/s: Spark
    • Labels:
      None

      Description

      With DoAs enabled, HoS failed with following errors:

      Exception in thread "main" org.apache.hadoop.security.AccessControlException: systest tries to renew a token with renewer hive
      	at org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.renewToken(AbstractDelegationTokenSecretManager.java:484)
      	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.renewDelegationToken(FSNamesystem.java:7543)
      	at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.renewDelegationToken(NameNodeRpcServer.java:555)
      	at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.renewDelegationToken(AuthorizationProviderProxyClientProtocol.java:674)
      	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.renewDelegationToken(ClientNamenodeProtocolServerSideTranslatorPB.java:999)
      	at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
      	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
      	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
      	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2141)
      	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2137)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.Subject.doAs(Subject.java:415)
      	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1783)
      	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2135)
      

      It is related to the change from HIVE-14383. It looks like that SparkSubmit logs in Kerberos with passed in hive principal/keytab and then tries to create a hdfs delegation token for user systest with renewer hive.

        Attachments

        1. HIVE-15485.2.patch
          3 kB
          Chaoyu Tang
        2. HIVE-15485.1.patch
          3 kB
          Chaoyu Tang
        3. HIVE-15485.patch
          3 kB
          Chaoyu Tang

          Issue Links

            Activity

              People

              • Assignee:
                ctang.ma Chaoyu Tang
                Reporter:
                ctang.ma Chaoyu Tang
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: