Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-1037

Beeswax fails to connect secure remote metastore


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.0
    • Fix Version/s: 2.2.0
    • Component/s: con.hive
    • Labels:


      Beeswax creates a client session as hadoop proxy user. This works fine when dealing with HDFS and MR and allows users to run hive queries. The problem is when there's secure remote metastore, impersonated client session on HS2 can't establish a secure connection since it doesn't have the actual kerberos context of the user it impersonating.
      To solve the problem, BW needs to use delegation token to connect to secure remote metastore. The delegation token authentication is a two-party authentication protocol based on Java SASL Digest-MD5. The MetaStore already supports this and used by other clients like HCat.
      HS2 and BW need a metastore client created with its own kerberos credentials. Then use this client to request a delegation token on behalf of the user it's going to impersonate. This delegation token should then be saved in hive config.
      When the metastore client finds this token indicator in the configuration, it uses that to communicate with the metastore via DIGEST SASL mechanism instead of kerberos.




            • Assignee:
              prasadm Prasad Mujumdar
              prasadm Prasad Mujumdar
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: