Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-18061

Spark Thriftserver needs to create SPNego principal

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.1, 2.0.1
    • Fix Version/s: 2.3.0
    • Component/s: SQL
    • Labels:
      None

      Description

      Spark Thriftserver when running in HTTP mode with Kerberos enabled gives a 401 authentication error when receiving beeline HTTP request (with end user as kerberos principal). The similar command works with Hive Thriftserver.

      What we find is Hive thriftserver CLI service creates both hive service and SPNego principal when kerberos is enabled whereas Spark Thriftserver
      only creates hive service principal.

      CLIService.java
      if (UserGroupInformation.isSecurityEnabled()) {
            try {
              HiveAuthFactory.loginFromKeytab(hiveConf);
              this.serviceUGI = Utils.getUGI();
            } catch (IOException e) {
              throw new ServiceException("Unable to login to kerberos with given principal/keytab", e);
            } catch (LoginException e) {
              throw new ServiceException("Unable to login to kerberos with given principal/keytab", e);
            }
      
            // Also try creating a UGI object for the SPNego principal
            String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
            String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
            if (principal.isEmpty() || keyTabFile.isEmpty()) {
              LOG.info("SPNego httpUGI not created, spNegoPrincipal: " + principal +
                  ", ketabFile: " + keyTabFile);
            } else {
              try {
                this.httpUGI = HiveAuthFactory.loginFromSpnegoKeytabAndReturnUGI(hiveConf);
                LOG.info("SPNego httpUGI successfully created.");
              } catch (IOException e) {
                LOG.warn("SPNego httpUGI creation failed: ", e);
              }
            }
          }
      
      
      SparkSQLCLIService.scala
      if (UserGroupInformation.isSecurityEnabled) {
            try {
              HiveAuthFactory.loginFromKeytab(hiveConf)
              sparkServiceUGI = Utils.getUGI()
              setSuperField(this, "serviceUGI", sparkServiceUGI)
            } catch {
              case e @ (_: IOException | _: LoginException) =>
                throw new ServiceException("Unable to login to kerberos with given principal/keytab", e)
            }
          }
      
      

      The patch will add missing SPNego principal to Spark Thriftserver.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jerryshao Saisai Shao
                Reporter:
                cmirashi Chandana Mirashi
              • Votes:
                3 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: