From 31be7a30e8ea2715386fcffbb955ccb78b781bfb Mon Sep 17 00:00:00 2001 From: jiaoqingbo <1178404354@qq.com> Date: Thu, 17 Mar 2022 19:12:54 +0800 Subject: [PATCH] [KYUUBI #2156] Change log to reflect exactly why getting token failed ### _Why are the changes needed?_ fix #2156 ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #2157 from jiaoqingbo/2156. Closes #2156 96a22e59 [jiaoqingbo] add link to doc dc11a214 [jiaoqingbo] [KYUUBI #2156] Change log to reflect exactly why getting token failed Authored-by: jiaoqingbo <1178404354@qq.com> Signed-off-by: Cheng Pan --- docs/security/hadoop_credentials_manager.md | 13 +++++++++++++ .../credentials/HadoopCredentialsManager.scala | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/security/hadoop_credentials_manager.md b/docs/security/hadoop_credentials_manager.md index 32ce02e99..6bc6be610 100644 --- a/docs/security/hadoop_credentials_manager.md +++ b/docs/security/hadoop_credentials_manager.md @@ -75,3 +75,16 @@ kyuubi\.credentials
\.hadoopfs\.uris|
true
|
Whether to renew Hive metastore delegation token
|
boolean
|
1.4.0
kyuubi\.credentials
\.renewal\.interval|
PT1H
|
How often Kyuubi renews one user's delegation tokens
|
duration
|
1.4.0
kyuubi\.credentials
\.renewal\.retry\.wait|
PT1M
|
How long to wait before retrying to fetch new credentials after a failure.
|
duration
|
1.4.0
+ + +### Required Security Configs + +The necessary configurations for hdfs and hive to obtain delegation token are as follows: + +Key | Meaning | value +--- | --- | --- +
hadoop.security.authentication
|
Set the authentication for the cluster
|
kerberos
+
hive.metastore.uris
|
URI for client to contact metastore server
|
thrift://{metastoreHost}:{metastorePort}}
+
hive.metastore.sasl.enabled
|
If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|
true
+
hive.metastore.kerberos.principal
|
The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|
for example hive/_HOST@${realm}
+
hive.metastore.kerberos.keytab.file
|
The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|
for example /etc/security/keytabs/hive.service.keytab
\ No newline at end of file diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala index 2ebda604a..fafa655c2 100644 --- a/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala +++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala @@ -100,7 +100,11 @@ class HadoopCredentialsManager private (name: String) extends AbstractService(na val required = provider.delegationTokensRequired() if (!required) { warn(s"Service ${provider.serviceName} does not require a token." + - s" Check your configuration to see if security is disabled or not.") + s" Check your configuration to see if security is disabled or not." + + s" If security is enabled, some configurations of ${provider.serviceName} " + + s" might be missing, please check the configurations in " + + s" https://kyuubi.readthedocs.io/en/latest/security" + + s"/hadoop_credentials_manager.html#required-security-configs") provider.close() } required