apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

[KYUUBI #2156] Change log to reflect exactly why getting token failed

Browse Source 
### _Why are the changes needed?_

fix #2156

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #2157 from jiaoqingbo/2156.

Closes #2156

96a22e59 [jiaoqingbo] add link to doc
dc11a214 [jiaoqingbo] [KYUUBI #2156] Change log to reflect exactly why getting token failed

Authored-by: jiaoqingbo <1178404354@qq.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
This commit is contained in:
jiaoqingbo 2022-03-17 19:12:54 +08:00 committed by Cheng Pan
parent 36507f8efc
commit 31be7a30e8
No known key found for this signature in database
GPG Key ID: 8001952629BCC75D
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/security/hadoop_credentials_manager.md
View File

@ -75,3 +75,16 @@ kyuubi\.credentials<br>\.hadoopfs\.uris|<div style='width: 65pt;word-wrap: break
kyuubi\.credentials<br>\.hive\.enabled|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>true</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>Whether to renew Hive metastore delegation token</div>|<div style='width: 30pt'>boolean</div>|<div style='width: 20pt'>1.4.0</div>
kyuubi\.credentials<br>\.renewal\.interval|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>PT1H</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>How often Kyuubi renews one user's delegation tokens</div>|<div style='width: 30pt'>duration</div>|<div style='width: 20pt'>1.4.0</div>
kyuubi\.credentials<br>\.renewal\.retry\.wait|<div style='width: 65pt;word-wrap: break-word;white-space: normal'>PT1M</div>|<div style='width: 170pt;word-wrap: break-word;white-space: normal'>How long to wait before retrying to fetch new credentials after a failure.</div>|<div style='width: 30pt'>duration</div>|<div style='width: 20pt'>1.4.0</div>
### Required Security Configs
The necessary configurations for hdfs and hive to obtain delegation token are as follows:
Key | Meaning | value
--- | --- | ---
<div style='width: 40pt;word-wrap: break-word;white-space: normal'>hadoop.security.authentication</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>Set the authentication for the cluster</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>kerberos</div>
<div style='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.uris</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>URI for client to contact metastore server</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>thrift://{metastoreHost}:{metastorePort}}</div>
<div style='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.sasl.enabled</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>true</div>
<div style='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.kerberos.principal</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>for example hive/_HOST@${realm}</div>
<div style='width: 40pt;word-wrap: break-word;white-space: normal'>hive.metastore.kerberos.keytab.file</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</div>|<div style='width: 40pt;word-wrap: break-word;white-space: normal'>for example /etc/security/keytabs/hive.service.keytab</div>

6
kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala
View File

@ -100,7 +100,11 @@ class HadoopCredentialsManager private (name: String) extends AbstractService(na
val required = provider.delegationTokensRequired()
if (!required) {
warn(s"Service ${provider.serviceName} does not require a token." +
s" Check your configuration to see if security is disabled or not.")
s" Check your configuration to see if security is disabled or not." +
s" If security is enabled, some configurations of ${provider.serviceName} " +
s" might be missing, please check the configurations in " +
s" https://kyuubi.readthedocs.io/en/latest/security" +
s"/hadoop_credentials_manager.html#required-security-configs")
provider.close()
}
required