[IMPALA-3554] Use catalog's principal to talk to sentry in kerberized Impala clusters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: Impala 2.2, Impala 2.3.0, Impala 2.5.0, Impala 2.4.0, Impala 2.6.0
Fix Version/s: Impala 2.6.0
Component/s: Catalog
Labels:
None

Description

Currently we use the OS username which spawns the catalog process to interact with Sentry [1]. In kerberized clusters, this should be extracted from the principal. In most CM managed clusters, this shouldn't matter, as both the usernames are same. However some setups may not choose to use this default config.

Workaround: Grant the OS username the required super user permissions till this is fixed.

<property>
<name>hadoop.user.group.static.mapping.overrides</name>
<value><username>=<SENTRY_ADMIN_GROUP></value>
</property>

[1] https://github.com/cloudera/Impala/blob/cdh5-trunk/fe/src/main/java/com/cloudera/impala/util/SentryProxy.java#L70

Attachments

Activity

People

Assignee:: Bharath Vissapragada

Reporter:: Bharath Vissapragada

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/May/16 09:19

Updated:: 25/May/16 11:09

Resolved:: 25/May/16 11:08