To reproduce ths issue, please do the following in secure hadoop/hbase cluster:
- On a gateway node, run kinit to obtain kerberos credentials and run a Pig script that includes a HBaseStorage load/store.
- In the front-end, HBaseStorage obtains a delegation token from hbase server and adds it to the JobConf object.
- In the back-end, mappers connect to hbase using the delegation token w/o kerberos credentials.
While load-from-hbase works perfectly fine, store-to-hbase fails. This is because at step 3, mappers attempt to obtain a delegation token from hbase in the back-end.
The problem is that mappers in the back-end don't have kerberos credentials, so the call to addHBaseDelegationToken() fails with the following error:
This is not an issue with load because a delegation token is only obtained in the front-end for the first time when HBASE_TOKEN_SET is not set.
The proposed fix is to modify addHBaseDelegationToken() so that tokens are obtained only if the current user has kerberos credentials, which is true in the front-end while false in the back-end.