diff --git a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java index 8352943..17913f0 100644 --- a/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java +++ b/llap-common/src/java/org/apache/hadoop/hive/llap/LlapUtil.java @@ -57,15 +57,44 @@ public static String getDaemonLocalDirString(Configuration conf, String workDirs } } + /** + * Login using kerberos. But does not change the current logged in user. + * + * @param principal - kerberos principal + * @param keytabFile - keytab file + * @return UGI + * @throws IOException - if keytab file cannot be found + */ public static UserGroupInformation loginWithKerberos( - String principal, String keytabFile) throws IOException { - if (!UserGroupInformation.isSecurityEnabled()) return null; - if (principal.isEmpty() || keytabFile.isEmpty()) { - throw new RuntimeException("Kerberos principal and/or keytab are empty"); - } - LOG.info("Logging in as " + principal + " via " + keytabFile); - return UserGroupInformation.loginUserFromKeytabAndReturnUGI( - SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keytabFile); + String principal, String keytabFile) throws IOException { + if (!UserGroupInformation.isSecurityEnabled()) { + return null; + } + if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) { + throw new RuntimeException("Kerberos principal and/or keytab are null or empty"); + } + final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); + LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile); + return UserGroupInformation.loginUserFromKeytabAndReturnUGI(serverPrincipal, keytabFile); + } + + /** + * Login using kerberos and also updates the current logged in user + * + * @param principal - kerberos principal + * @param keytabFile - keytab file + * @throws IOException - if keytab file cannot be found + */ + public static void loginWithKerberosAndUpdateCurrentUser(String principal, String keytabFile) throws IOException { + if (!UserGroupInformation.isSecurityEnabled()) { + return; + } + if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) { + throw new RuntimeException("Kerberos principal and/or keytab is null or empty"); + } + final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); + LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile + " and updating current logged in user"); + UserGroupInformation.loginUserFromKeytab(serverPrincipal, keytabFile); } private final static Pattern hostsRe = Pattern.compile("[^A-Za-z0-9_-]"); diff --git a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java index d90b156..b7e05d3 100644 --- a/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java +++ b/llap-server/src/java/org/apache/hadoop/hive/llap/daemon/impl/LlapDaemon.java @@ -63,6 +63,7 @@ import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge; import org.apache.hadoop.hive.ql.udf.generic.GenericUDFBridge.UdfWhitelistChecker; import org.apache.hadoop.metrics2.util.MBeans; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.service.CompositeService; import org.apache.hadoop.util.ExitUtil; @@ -141,13 +142,20 @@ public LlapDaemon(Configuration daemonConf, int numExecutors, long executorMemor } String hostName = MetricsUtils.getHostName(); try { - daemonId = new DaemonId(UserGroupInformation.getCurrentUser().getShortUserName(), - LlapUtil.generateClusterName(daemonConf), hostName, appName, System.currentTimeMillis()); + // re-login with kerberos. This makes sure all daemons have the same login user. + if (UserGroupInformation.isSecurityEnabled()) { + final String daemonPrincipal = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_PRINCIPAL); + final String daemonKeytab = HiveConf.getVar(daemonConf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE); + LlapUtil.loginWithKerberosAndUpdateCurrentUser(daemonPrincipal, daemonKeytab); + } + String currentUser = UserGroupInformation.getCurrentUser().getShortUserName(); + LOG.info("Starting daemon as user: {}", currentUser); + daemonId = new DaemonId(currentUser, LlapUtil.generateClusterName(daemonConf), + hostName, appName, System.currentTimeMillis()); } catch (IOException ex) { throw new RuntimeException(ex); } - this.maxJvmMemory = getTotalHeapSize(); this.llapIoEnabled = ioEnabled; this.executorMemoryPerInstance = executorMemoryBytes;