2

I've got HDP3 kerberized cluster.

The question is - how can I create delegation token for user that doesn't have keytab?

With that user I want to retrieve information from Metastore and run SQL queries on Hive tables.

Property hive.cluster.delegation.token.store.class equals to org.apache.hadoop.hive.thrift.ZooKeeperTokenStore

Znodes /hive/cluster/delegationHIVESERVER2/tokens and /hive/cluster/delegationMETASTORE/tokens are empty.

I've found information about how to generate DT for HDFS.

But for Hive there is info only about how to get that token, it means, that the token already exists. But how to create one?

Markiza
  • 444
  • 1
  • 5
  • 18
  • IMHO you will have to dig into the source code of projects that use a Metastore token (i.e. Spark and Oozie) or a HS2 token (i.e. Oozie). The Spark "client" uses a Kerberos ticket to retrieve various tokens, then make these tokens available to the driver and the executors. The Oozie server uses its own Kerberos ticket and its "proxy account" privileges to get tokens on behalf of the job user, depending on which "credentials" are requested for that job. – Samson Scharfrichter Oct 15 '19 at 19:10
  • For Oozie, a "functional" intro to `credentials` http://oozie.apache.org/docs/5.0.0/DG_ActionAuthentication.html >> the source code for class `HCatCredentialHelper` on branch Master https://github.com/apache/oozie/blob/master/core/src/main/java/org/apache/oozie/action/hadoop/HCatCredentialHelper.java – Samson Scharfrichter Oct 15 '19 at 19:21

0 Answers0